All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This worked perfectly. Thank you!
Hi, I am looking to add a custom time picker on dashboard.  Its going to be Simple dropdown with option of  last 12 months (one option to each month in last 1 year) I have created dropdown as p... See more...
Hi, I am looking to add a custom time picker on dashboard.  Its going to be Simple dropdown with option of  last 12 months (one option to each month in last 1 year) I have created dropdown as per requirement. Now wondering how to use it in rest of the dashboard so dashboard will get updated as per selection. Query | makeresults | addinfo | eval date=mvrange(info_min_time,info_max_time,"1mon") | mvexpand date | sort - date | eval Month=strftime(date,"%b-%y") | table Month date  
Yes, this looks correct
I have events like the below that are saying when a particular pool member was out of rotation for a particular period of time.  What would be an ideal search would be to match all events that have t... See more...
I have events like the below that are saying when a particular pool member was out of rotation for a particular period of time.  What would be an ideal search would be to match all events that have the "was down for" and then the length of time and simply average that, and take the 95th percentile of that duration.   Probably more difficult than it seems and I'm not sure how to approach it. <133>Feb 13 13:01:33 slot2/US66666-CORE-LTM1.company.COM notice mcpd[8701]: 01070727:5: Pool /Common/pool-generic member /Common/servernamew006:8080 monitor status up. [ /Common/mon-xxx-prod-xxx-liveness: up ] [ was down for 0hr:0min:15sec ] host = US66666-core-ltm1.company.com source = /var/log/HOSTS/US66666-core-ltm1.company.com/xxx.xxx.com-syslog.log sourcetype = syslog_alb
@ITWhisperer I just want to be sure that we are extracting the timestamp correctly, so my doubt is that for an event which has timestamp as 2024-02-16T11:46:02.9895330Z, we have created the time form... See more...
@ITWhisperer I just want to be sure that we are extracting the timestamp correctly, so my doubt is that for an event which has timestamp as 2024-02-16T11:46:02.9895330Z, we have created the time format as %Y-%m-%dT%H:%M:%S.%9N%Z but the _time field shows values like 2/16/24 11:46:02.989 AM, So is this correct? Thank you so much for the help. Regards.
Hello, you can collect the logs with the following configuration on inputs.conf: [WinEventLog://Microsoft-Windows-Windows Defender/Operational] disabled = 0 index = windefender evt_resolve_ad_obj... See more...
Hello, you can collect the logs with the following configuration on inputs.conf: [WinEventLog://Microsoft-Windows-Windows Defender/Operational] disabled = 0 index = windefender evt_resolve_ad_obj = 1
Hi @MattiaP, sorry, what's the relation between an index and MongoDB? if you haven't events only in one index, you should check the inputs.conf that ingest data stored in that index. The only exce... See more...
Hi @MattiaP, sorry, what's the relation between an index and MongoDB? if you haven't events only in one index, you should check the inputs.conf that ingest data stored in that index. The only excepton is if you have an index overriding, have you this? Ciao. Giuseppe
Yes, I need to check if a particular index is used in any TA.  
You can see the index of the source by using below query; | tstats latest(_indextime) as latest where index IN (index1,index2,index3,index4) earliest=-48h by source index | eval delay = now() -lates... See more...
You can see the index of the source by using below query; | tstats latest(_indextime) as latest where index IN (index1,index2,index3,index4) earliest=-48h by source index | eval delay = now() -latest | where delay > 86400 | eval delay=tostring(delay, "duration") | fields - latest Since above query check the latest 48 hours ingested events. Filters the results that do not send data for at least 24 hours. Looking for 48 hours back will make sure daily updated sources will taken into account.    
Have you tried series colors rather than fieldColors?
Hi, I have an index that doesn't show events anymore.  Could you help me please? On November I had a problem with Mongo DB and I tried this solutions: - https://community.splunk.com/t5/Knowledge-M... See more...
Hi, I have an index that doesn't show events anymore.  Could you help me please? On November I had a problem with Mongo DB and I tried this solutions: - https://community.splunk.com/t5/Knowledge-Management/Why-are-we-getting-these-errors-KV-Store-Process-Terminated/m-p/449940  --> doing this I noticed that permissions of files inside this folder have changed. May this be the cause of the problem? This solutiion didn't work - I solved the problem doing this Could you help me please? Thank you
Essentially, you can't do this - you have the chart and the legend, nothing else. Having said that, you could rename the x-axis field so that it includes the data you want to display. However, since ... See more...
Essentially, you can't do this - you have the chart and the legend, nothing else. Having said that, you could rename the x-axis field so that it includes the data you want to display. However, since your x-axis is _time, if you rename it to something else, it will not be displayed in the same was - x-axis using _time are treated in a special way by charts.
Hi, I created a column chart that displays avg(totalTime) over a 5min increment by the organization. I am looking to add in the bottom corner of the chart the latest count of the organization. I ju... See more...
Hi, I created a column chart that displays avg(totalTime) over a 5min increment by the organization. I am looking to add in the bottom corner of the chart the latest count of the organization. I just want to display the count at the bottom of the chart where the legend is. How do I accomplish this? Column Chart query to graph avg(totalTime) by organization index | timechart span-5m avg(totalTime) as avg Volume (where I want to display the value of the latest count on the chart above near the legend) index | timechart span=5m count by organization Kindly help. 
Hi,  I am trying to create a column chart that if the value is greater than 3 then the column of the Column chart turns red while if the value is less than or equal to 3, the column of the chart is... See more...
Hi,  I am trying to create a column chart that if the value is greater than 3 then the column of the Column chart turns red while if the value is less than or equal to 3, the column of the chart is green.  Below is my search that I started off with: index | timechart span=5m avg(totalTime) as avg_value limit=20 | eval threshold=3 I tried: index | timechart span=5m avg(totalTime) as avg_value limit=20 | eval threshold=3 | eval "red"=if(avg_value > threshold, avg_value,0) | eval "green"=if(avg_value<threshold, avg_value,0) |fields - avg_value Then I went into the source code and defined the colors but the column chart did not change colors.   <option name="charting.fieldColors">{"red":0xFF0000,"green":0x73A550}</option>  I do not want the columns stacked.  Kindly help. 
Hi All We are starting to look at application monitoring and our first target will definitely be SAP. I can see there are a number of SAP apps in Splunkbase. Does anyone have any info on a compariso... See more...
Hi All We are starting to look at application monitoring and our first target will definitely be SAP. I can see there are a number of SAP apps in Splunkbase. Does anyone have any info on a comparison of these, and any Splunk guides or best practises to start looking at this? I've not worked with any monitoring at this application level previously so really starting at first principles and gathering as much info as possible. Thank you for reading. All the best.   
Hi @scelikok,   Thanks for the query. This query is not giving any info about the index. Can index field be added as well while displaying the results. Also,  there are certain source log files whi... See more...
Hi @scelikok,   Thanks for the query. This query is not giving any info about the index. Can index field be added as well while displaying the results. Also,  there are certain source log files which are created daily based on date. So, how will that be taken into account?
Hi @richa , probably, source isn't the best solution to check ingestion because it usually change, for this reason I used sourcetype, otherwise, you could use index: | tstats count latest(_... See more...
Hi @richa , probably, source isn't the best solution to check ingestion because it usually change, for this reason I used sourcetype, otherwise, you could use index: | tstats count latest(_time) AS _time WHERE index IN (index1, index2, index3, index4) earliest=-30d@d BY index | eval period=if(_time>now()-86400,"Last 24 hours", "Previous") | stats dc(period) AS period_count values(period) AS period BY index | where period_count=1 AND period="Previous" | table index _time Ciao. Giuseppe
Hi @gcusello, Thanks for the query. But I would like to have it on sources and not source type as certain source types can have few log sources configured in it. Also, one more thing i would like to... See more...
Hi @gcusello, Thanks for the query. But I would like to have it on sources and not source type as certain source types can have few log sources configured in it. Also, one more thing i would like to add, there are few log files which are created daily based on date. And if we configure the alert on log sources then those log sources will come as alert in the search query for not receiving logs as daily new files are generated. so, how to cater to that scenario?
Hello, Thank you for the response. This is considered as a vulnerability and we can't unrestrict it. At the moment, all our dashboards made in html have jquery version 2.1.0. If there was a way to s... See more...
Hello, Thank you for the response. This is considered as a vulnerability and we can't unrestrict it. At the moment, all our dashboards made in html have jquery version 2.1.0. If there was a way to set the dashboard version to 1.1 like we did to other simplexml dashbords that would be great. Thanks
Hi @richa, having a lookup will give you more conterol on the check process, but anyway, if you want to check the sourcetypes in four indexes that didn't send logs in the last 24 hours but that sent... See more...
Hi @richa, having a lookup will give you more conterol on the check process, but anyway, if you want to check the sourcetypes in four indexes that didn't send logs in the last 24 hours but that sent in the previous 30 days, you can run the following search: | tstats count latest(_time) AS _time values(index) AS index WHERE index IN (index1, index2, index3, index4) earliest=-30d@d BY sourcetype | eval period=if(_time>now()-86400,"Last 24 hours", "Previous") | stats dc(period) AS period_count values(period) AS period BY sourcetype | where period_count=1 AND period="Previous" | table sourcetype index _time Ciao. Giuseppe