All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Tron-spectron47   No, unfortunately, you cannot search for an event using the `transaction` command in Splunk without any index or source values. The `transaction` command relies on these values to... See more...
@Tron-spectron47   No, unfortunately, you cannot search for an event using the `transaction` command in Splunk without any index or source values. The `transaction` command relies on these values to identify and group related events. Here's why: * **Index:** The `transaction` command needs an index to specify the location where the events reside within Splunk. Without knowing the index, the command wouldn't know where to look for the events. * **Source:** The `transaction` command uses the source to distinguish between different log types. Without knowing the source, the command wouldn't be able to differentiate between events relevant to the transaction and unrelated ones. Please find the below links for reference.  transaction - Splunk Documentation  Identify and group events into transactions - Splunk Documentation  
Hi @jovnice, WinEventLog:Application should be the source field and not a string as you are using. Anyway, what's the error you're receiving? Ciao. Giuseppe  
Hi @Tron-spectron47, you could specify index=* in your search so you don't need to use the index name. If instead you want to avoid to specify also index=*, you can search in all indexes listed in ... See more...
Hi @Tron-spectron47, you could specify index=* in your search so you don't need to use the index name. If instead you want to avoid to specify also index=*, you can search in all indexes listed in the default search path. At the same time you don't need to use the source field in your searches. I don't understand what you mean with "the transaction". If you mean a string, you can surely use it, if you mean the transaction Splunk command, it could be possible but it's a too generic question and should be better detailed. Ciao. Giuseppe
@briancronrath  I would request you to contact Sales team to get a temporary reset license.
@briancronrath Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers. License Enforcement: This means Splunk... See more...
@briancronrath Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers. License Enforcement: This means Splunk is enforcing limits based on your current license. 45 warnings: You've received 45 warnings for exceeding your limit within a 60-day window. Search disabled: If you receive 45 more warnings, search functionality will be disabled.   Possible Causes:   Data Ingestion: You might be ingesting more data than your license allows. License Type: Your current license might not accommodate your data volume or usage needs. License Pool Quota: If using a license pool, a specific member exceeding its quota could trigger warnings.
This is an accurate statement, it doesn't appear there is a two-way method to use what is in the lookups right off to push into an easy to design search.  Furthermore, it's stacked sys_id after sys_i... See more...
This is an accurate statement, it doesn't appear there is a two-way method to use what is in the lookups right off to push into an easy to design search.  Furthermore, it's stacked sys_id after sys_id after sys_id to make sense of the data as simple things are not what they appear in most deployments of the ServiceNow CMDB.
I presume you want to install the TA on the DS, LM, CM, and SHCD so you can monitor the servers on which they run.  If so, you would have to install the TA on each of those instances manually because... See more...
I presume you want to install the TA on the DS, LM, CM, and SHCD so you can monitor the servers on which they run.  If so, you would have to install the TA on each of those instances manually because they are not clients of a management instance. Another option is to use a third-party software management utility to install the app on all Splunk instances.
Found by myself: How Splunk Enterprise licensing works - Splunk Documentation
Can an event be searched using the transaction without any index or source values? Yes or No breif answer on selection
I keep getting an error message when I am attempting to this command  * EventCode=* user=* WinEventLog:Application | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR E... See more...
I keep getting an error message when I am attempting to this command  * EventCode=* user=* WinEventLog:Application | eval src_nt_host=coalesce(src_nt_host,host) | eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No") | stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user | eval time=strftime(time,"%c") | rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures" | table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures" I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.
If you have backups of the old data, restore them to the thawed folder.  See https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Restorearchiveddata for details. If you don't have backups the... See more...
If you have backups of the old data, restore them to the thawed folder.  See https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Restorearchiveddata for details. If you don't have backups then the old data is gone forever.
This requires further troubleshooting on agent-side log analysis.
Please refer - https://docs.appdynamics.com/appd/22.x/22.1/en/infrastructure-visibility/machine-agent/machine-agent-requirements-and-supported-environments
Okay, I am assuming that will change the retention for future events, but how can I get the old logs back?
How are you doing procedures for Notable Events? The description field doesn't support paragraph breaks. I'd been using Next Steps as my space for procedures. With the upgrade to 7.3.0, my Next Ste... See more...
How are you doing procedures for Notable Events? The description field doesn't support paragraph breaks. I'd been using Next Steps as my space for procedures. With the upgrade to 7.3.0, my Next Steps all have  {"version":1,"data":" appended at the start. If I try to update them, it appears Splunk upgrades the text to the new version and linebreaks are no longer supported and my procedures turn into giant blobs of text.
You can try this regex also :  "Key":\s*"Owner",\s*"ValueString":\s*"(?<Team_Name>[^"]*)" Regex
Hi Splunkers, I have to calculate daily ingested volume in a Splunk Enteprise environment. Here on community I found a lot of post, and related answer, to a similar question: daily license consumpti... See more...
Hi Splunkers, I have to calculate daily ingested volume in a Splunk Enteprise environment. Here on community I found a lot of post, and related answer, to a similar question: daily license consumption, but I don't know if it is what I need. I mean: we know that, once data are ingested by Splunk, compression factor is applied and, in a non clustered environment, it is more or less 50%. So, for example, if I have 100 GB data ingested by day, final size on disk will be 50 GB . Well, I have to calculate total GB BEFORE compression is applied. So, in my above example, search/method I need should NOT return 50 GB as final result, but 100 GB. Moreover, in my current env, I have an Indexers cluster.  So, what is not clear is: daily consumed License, is what I need? I mean: when I see daily consumed license by my environment, GB returned are the ingested one BEFORE compression, or the Compressed one?  
I am trying to create a Transaction where my starting and ending 'event' have exactly the same time. In _raw the time is "Wed Feb 21 08:15:01 CST 2024" My current SPL is:  | transaction keeporphans... See more...
I am trying to create a Transaction where my starting and ending 'event' have exactly the same time. In _raw the time is "Wed Feb 21 08:15:01 CST 2024" My current SPL is:  | transaction keeporphans=true host aJobName startswith=("START of script") endswith=("COMPLETED OK" OR "ABORTED, exiting with status") But my transaction only has the starting event. So I added the following which had no change ? | eval _time = case( match(_raw, "COMPLETED OK"), _time +5, match(_raw, "ABORTED"), _time +5, true(),_time) | sort _time | transaction keeporphans=true host aJobName startswith=("START of script") endswith=("COMPLETED OK" OR "ABORTED, exiting with status") When I added the above changes, when I look the the events in the 'Time' columns they are 5 seconds apart, yet Tranaction does not associate them ? 2/21/24 8:15:01.000 AM (Starting Event) 2/21/24 8:15:06.000 AM (Ending Event)
When dealing with historical data in Splunk, there are a few factors to consider. i) Check if your Splunk deployment has custom retention policies configured. You can adjust these policies to retain... See more...
When dealing with historical data in Splunk, there are a few factors to consider. i) Check if your Splunk deployment has custom retention policies configured. You can adjust these policies to retain data for a longer period of time. I think that you should read at https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf