Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-21-2024
10:30 AM
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and u...
See more...
Hi all, I'm getting this error periodically with my local Splunk Enterprise installation in Mac OS. I've resorted to just reinstalling when this happened in the past but I'd like to avoid that and understand the cause / fix. Splunk was running but seemed to hand when I tried to restart from the webUI. After that I get this error when trying to start. If I try to stop via CLI I it says splunkd is not running. Help is very much appreciated as this is getting to be a real pain.
02-21-2024
10:23 AM
Hi @Tetiana.Kovalchuk,
Thanks for posting your question on the Community. Since it's been a few days and the community has not jumped in to help, you have a few options. 1. You can request a cal...
See more...
Hi @Tetiana.Kovalchuk,
Thanks for posting your question on the Community. Since it's been a few days and the community has not jumped in to help, you have a few options. 1. You can request a call with an AppD Consultant
2. You can submit a Support ticket How do I submit a Support ticket? An FAQ
02-21-2024
10:07 AM
Hi @av_ , if you don't have a streming command (as stats or timechart) in the base search, you must specify, at the end of the base search, all the fields that you need to use in the panels, in your...
See more...
Hi @av_ , if you don't have a streming command (as stats or timechart) in the base search, you must specify, at the end of the base search, all the fields that you need to use in the panels, in your case: index=main source=xyz
| fields host panel _time Ciao. Giuseppe
02-21-2024
10:05 AM
Thank you @richgalloway you are helpful as always
02-21-2024
10:03 AM
Hi @Iris, I never tested atomatic testing tools on Splunk but many years ago I used LoadRunner on other web applications. Are you searching a tool or what else? Ciao. Giuseppe
02-21-2024
10:03 AM
@Tron-spectron47 No, unfortunately, you cannot search for an event using the `transaction` command in Splunk without any index or source values. The `transaction` command relies on these values to...
See more...
@Tron-spectron47 No, unfortunately, you cannot search for an event using the `transaction` command in Splunk without any index or source values. The `transaction` command relies on these values to identify and group related events. Here's why: * **Index:** The `transaction` command needs an index to specify the location where the events reside within Splunk. Without knowing the index, the command wouldn't know where to look for the events. * **Source:** The `transaction` command uses the source to distinguish between different log types. Without knowing the source, the command wouldn't be able to differentiate between events relevant to the transaction and unrelated ones. Please find the below links for reference. transaction - Splunk Documentation Identify and group events into transactions - Splunk Documentation
02-21-2024
09:59 AM
Hi @jovnice, WinEventLog:Application should be the source field and not a string as you are using. Anyway, what's the error you're receiving? Ciao. Giuseppe
02-21-2024
09:56 AM
Hi @Tron-spectron47, you could specify index=* in your search so you don't need to use the index name. If instead you want to avoid to specify also index=*, you can search in all indexes listed in ...
See more...
Hi @Tron-spectron47, you could specify index=* in your search so you don't need to use the index name. If instead you want to avoid to specify also index=*, you can search in all indexes listed in the default search path. At the same time you don't need to use the source field in your searches. I don't understand what you mean with "the transaction". If you mean a string, you can surely use it, if you mean the transaction Splunk command, it could be possible but it's a too generic question and should be better detailed. Ciao. Giuseppe
02-21-2024
09:53 AM
@briancronrath I would request you to contact Sales team to get a temporary reset license.
02-21-2024
09:51 AM
@briancronrath Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers. License Enforcement: This means Splunk...
See more...
@briancronrath Your splunk deployment is encountering license enforcement restrictions because of that you were not able to search the data from the indexers. License Enforcement: This means Splunk is enforcing limits based on your current license. 45 warnings: You've received 45 warnings for exceeding your limit within a 60-day window. Search disabled: If you receive 45 more warnings, search functionality will be disabled. Possible Causes: Data Ingestion: You might be ingesting more data than your license allows. License Type: Your current license might not accommodate your data volume or usage needs. License Pool Quota: If using a license pool, a specific member exceeding its quota could trigger warnings.
02-21-2024
09:34 AM
This is an accurate statement, it doesn't appear there is a two-way method to use what is in the lookups right off to push into an easy to design search. Furthermore, it's stacked sys_id after sys_i...
See more...
This is an accurate statement, it doesn't appear there is a two-way method to use what is in the lookups right off to push into an easy to design search. Furthermore, it's stacked sys_id after sys_id after sys_id to make sense of the data as simple things are not what they appear in most deployments of the ServiceNow CMDB.
02-21-2024
09:22 AM
02-21-2024
08:59 AM
1 Karma
I presume you want to install the TA on the DS, LM, CM, and SHCD so you can monitor the servers on which they run. If so, you would have to install the TA on each of those instances manually because...
See more...
I presume you want to install the TA on the DS, LM, CM, and SHCD so you can monitor the servers on which they run. If so, you would have to install the TA on each of those instances manually because they are not clients of a management instance. Another option is to use a third-party software management utility to install the app on all Splunk instances.
02-21-2024
08:54 AM
Found by myself: How Splunk Enterprise licensing works - Splunk Documentation
02-21-2024
08:44 AM
Can an event be searched using the transaction without any index or source values? Yes or No breif answer on selection
02-21-2024
08:44 AM
I keep getting an error message when I am attempting to this command * EventCode=* user=* WinEventLog:Application
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR E...
See more...
I keep getting an error message when I am attempting to this command * EventCode=* user=* WinEventLog:Application
| eval src_nt_host=coalesce(src_nt_host,host)
| eval lockout=if(EventCode==644 OR EventCode==4740 OR EventCode==4624,"Yes","No")
| stats latest(_time) as time, latest(src_nt_host) as host, latest(lockout) as lockedout values(dest_nt_domain) as dest_nt_domain count(eval(EventCode=4625 OR EventCode=4771)) as count values(Source_Network_Address) as Source_Network_Address by user
| eval time=strftime(time,"%c")
| rename user to "User Name", Source_Network_Address to "IP Address", count to "Number of Failures"
| table dest_nt_domain "User Name" host lockedout time "IP Address" "Number of Failures" I need to pull the application that are running in the event viewer. I was able to pull them in a different location, but I want it to say more information about with the user information.
- Tags:
- Application Comand
02-21-2024
08:33 AM
1 Karma
If you have backups of the old data, restore them to the thawed folder. See https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Restorearchiveddata for details. If you don't have backups the...
See more...
If you have backups of the old data, restore them to the thawed folder. See https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Restorearchiveddata for details. If you don't have backups then the old data is gone forever.
02-21-2024
08:33 AM
1 Karma
This requires further troubleshooting on agent-side log analysis.
02-21-2024
08:30 AM
Please refer - https://docs.appdynamics.com/appd/22.x/22.1/en/infrastructure-visibility/machine-agent/machine-agent-requirements-and-supported-environments
02-21-2024
08:13 AM
Okay, I am assuming that will change the retention for future events, but how can I get the old logs back?
