All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Tried below query, but not getting values by site index=abc mal_code=xyz TERM(application) OR (TERM(status) TERM(success)) NOT (TERM(unauthorized) TERM(time) TERM(mostly)) site=* |stats count by Sro... See more...
Tried below query, but not getting values by site index=abc mal_code=xyz TERM(application) OR (TERM(status) TERM(success)) NOT (TERM(unauthorized) TERM(time) TERM(mostly)) site=* |stats count by Srock site |stats sum(count) as Success |appendcols [search index=abc mal_code=xyz (TERM(unauthorized) TERM(time) TERM(mostly)) NOT (TERM(status) TERM(success)) site=* |stats count by ID site |fields ID site |eval matchfield=ID |join matchfield [search index=abc mal_code=xyz site=* "application" |stats count by Srock site |fields Srock site |eval matchfield=Srock] |stats count(matchfiled) as Failed] |eval Total=Success+Failed |eval SuccessRate=round(Success/Total*100,2) |table *
Two independent search heads may have separate sets of field extractions defined, which would explain why you don't see the same fields on each SH.  Use btool on each SH to view and compare the props... See more...
Two independent search heads may have separate sets of field extractions defined, which would explain why you don't see the same fields on each SH.  Use btool on each SH to view and compare the props and transforms settings. If your query references a data model then that data model is used in your search; otherwise, no data model is used.
The eval command merely assigns a value to a field (variable).  It has no effect on the time picker. What *does* override the time picker are the earliest and latest options in the search command.
Hello, Your code moved the panel to the left when you set it to 40%, but not the text. I showed grey area on the right side.  Tried to use 100%. It turns out the text-align: left  didn't do anythi... See more...
Hello, Your code moved the panel to the left when you set it to 40%, but not the text. I showed grey area on the right side.  Tried to use 100%. It turns out the text-align: left  didn't do anything     Thanks I would like to align the text like the following:      
Hi, I am working my way through some of the splunk courses. I am currently on "working with time". In one of the videos the following command is used to find all results within the past day, roundi... See more...
Hi, I am working my way through some of the splunk courses. I am currently on "working with time". In one of the videos the following command is used to find all results within the past day, rounding down. "| eval yesterday = relative_time(now(),"1d@h")". However when I attempt this command myself, it simply prints the "yesterday" value however it uses the time specified in my time picker, not in the actual command. I was under the impression that any time specified within a command would automatically overwrite the time picker. Was I mistaken in this? Or am I perhaps using the command incorrectly? Any help would be greatly appreicated.
The custom app will need a different sourcetype name if the sourcetype is to have different settings from the official app.  That means you also will need to change the input to use the custom source... See more...
The custom app will need a different sourcetype name if the sourcetype is to have different settings from the official app.  That means you also will need to change the input to use the custom sourcetype.
My company is transitioning from an on-premise MFA setup within ADFS to the Azure MFA setup.  What's the best approach to getting those MFA events into Splunk?  Does the Splunk Addon for Microsoft Az... See more...
My company is transitioning from an on-premise MFA setup within ADFS to the Azure MFA setup.  What's the best approach to getting those MFA events into Splunk?  Does the Splunk Addon for Microsoft Azure (splunkbase 3757) meet that goal?  
Been struggling for a while on this one. On-prem Splunk Enterprise.  v9.1.2, running on CentOS 7.9 -- Just trying to find a consistent way to be able to upload log files through HTTP Event Collect... See more...
Been struggling for a while on this one. On-prem Splunk Enterprise.  v9.1.2, running on CentOS 7.9 -- Just trying to find a consistent way to be able to upload log files through HTTP Event Collector (HEC) tokens.  I found the whole RAW vs JSON thing confusing at first and thought the only way to be able to specify/override values like host, sourcetype, etc. was to package up my log file in the JSON format. Discovered today that you can specify those values in the RAW url, like so: https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server which was encouraging.  It seemed to work. And I think I've gotten further ahead.  I now have this effectively, as my curl command running in a bash script: curl -k https://mysplunkinstance.com:8088/services/collector/raw?host=myserver&sourcetype=linux_server -H "Authorization: Splunk <hec_token>" -H "Content-type: plain/text" -X 'POST' -d "@${file}" Happy to report that I now see the log data. However, it only seems happy if its a single line log.  When I give it a log file with more lines, it just jumbles it all together.  I thought it would honour the configuration rules we have programmed for sourcetype=linux_secure (from community add-ons and our own updates) but it doesn't.  Loading the same file through Settings -> Add Data has no problem properly line-breaking per the configuration. I'm guessing there is something I am missing then in how one is meant to send RAW log files through HEC?
Anyone know how and what path to query on splunkcloud instance to pull existing SAML configuration details and certificate? I can view the information by browsing to settings -> authentication metho... See more...
Anyone know how and what path to query on splunkcloud instance to pull existing SAML configuration details and certificate? I can view the information by browsing to settings -> authentication method -> SAML -> SAML configuration. I want to be able to export that information if it is captured in a file as a backup prior to migrating to different authentication method.  Thanks in advance.  
We see this exact issue and it started after upgrading to 9.2.0.1. Suppressing the warning works as expected but was curious if you found this specific to 9.2 we are upgrading from 9.0.5 so it may ha... See more...
We see this exact issue and it started after upgrading to 9.2.0.1. Suppressing the warning works as expected but was curious if you found this specific to 9.2 we are upgrading from 9.0.5 so it may have been introduced in 9.1 as well.
Correction, I need to re-pin them in reverse order, as the most recently pinned app goes to the top.
Hi based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner o... See more...
Hi based on your screenshots it’s just like you said and docs told this wrongly. You should leave comment/ corrections on that doc page. They are happy to get feedback and will correct this sooner or later.  On Linux that user is splunkfwd as docs told. r. Ismo
Now I notice that all of the apps that existed prior to the upgrade are all already pinned.   The only unpinned apps are the few we have added since then.  Presumably that means I can just unpin ever... See more...
Now I notice that all of the apps that existed prior to the upgrade are all already pinned.   The only unpinned apps are the few we have added since then.  Presumably that means I can just unpin everything and the re-pin in the order I want.   I miss the dragging.
Hi If you are needing silent installation on macOS then probably it’s better to use tar.gz package? r. Ismo
Unfortunately that’s true.
HI The  screenshot was an example I installed ofcial app "Mimecast for Splunk" and app folder "TA-mimecast-for-splunk", and I created a custom app called "Mimecast for LiveSOC" and the folder app "... See more...
HI The  screenshot was an example I installed ofcial app "Mimecast for Splunk" and app folder "TA-mimecast-for-splunk", and I created a custom app called "Mimecast for LiveSOC" and the folder app "TA-mimecast-for-livesoc" , I need to know if the custom app name is correct for force the data to use the configuration from "sourcetype" from custom app and not the oficial app 
This was perfect, TY.   I updated /etc/security/limits with the appropriate values and all is working now.
I am on the same boat. Any update on above request
Hi @Ajit.kunjir, I wasn't able to find anything specific on how to do it, but from some Support tickets I read, it seems possible. I would recommend reaching out to our AppD Consultants for a quick... See more...
Hi @Ajit.kunjir, I wasn't able to find anything specific on how to do it, but from some Support tickets I read, it seems possible. I would recommend reaching out to our AppD Consultants for a quick session.  https://community.appdynamics.com/t5/Knowledge-Base/A-guide-to-AppDynamics-help-resources/ta-p/42353#call-a-consultant
This ended up working - not sure what was wrong before, I think the timestamps were off. But it's all there, thanks!