All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello  Thank you for sharing your valuable insights and warnings based on your experience. The heads-up regarding the potential need for Professional Services and the strict OS package versi... See more...
Hi @gcusello  Thank you for sharing your valuable insights and warnings based on your experience. The heads-up regarding the potential need for Professional Services and the strict OS package versioning is particularly helpful. We will be sure to discuss these important points internally with our team as we plan our next steps. We appreciate you taking the time to provide this advice. Danke. Zake
Good catch. Timestamp recognition takes place right after line breaking. Definitely way before all this fields shuffling. So the timestamp at this point is still in the header of the event.
That's why I'm saying that without knowing your full config it's impossible to tell you where it comes from. The "none" value seems like some kind of a safeguard calculated value so that you have _so... See more...
That's why I'm saying that without knowing your full config it's impossible to tell you where it comes from. The "none" value seems like some kind of a safeguard calculated value so that you have _some_ value assigned even if no/wrong value was extracted in the first place (it's a typical operation for some fields in CIM datamodels for example). But normally I'd expect it to overwrite the original field. So for no we can only guess.
Hi @alvinsullivan01 , you used a wrong TIME_PREFIX: timestap il calculated as first operation, so please try: TIME_PREFIX = ^ Ciao. Giuseppe
Supported can mean different things here. Will you be able to install? Most probably. Will it run? Ditto. Will it run reasonably fast? Depends highly on the overall storage architecture - it is a ... See more...
Supported can mean different things here. Will you be able to install? Most probably. Will it run? Ditto. Will it run reasonably fast? Depends highly on the overall storage architecture - it is a completely different story when you have this kind of setup on a single NL-SAS 7k drive than when you have this on a LUN exported from a NVMe-backed array. Will Splunk support in case of any problem tell you that you have your installation incorrectly set up? Possibly.
Hi @zksvc , beware: for UBA installation is usually required Splunk PS. If you do by yourself (I tried last year) and you have an issue (usually very frequent!), The first requirement from Splunk S... See more...
Hi @zksvc , beware: for UBA installation is usually required Splunk PS. If you do by yourself (I tried last year) and you have an issue (usually very frequent!), The first requirement from Splunk Support is PS installation and you have to restart from scretch calling them! The installation procedure is very detailed in documentation but not all the details are described, so beware! In addition, make a very deep check on the operative system version: when we installed UBA last year, it was required Red Hat 7.x, but we had some packets of the installation (not all) updated to Red Hat 8 (even if the declared version of the installation was Red hat 7), so UBA didn't work! Ciao. Giuseppe
Hi @PrewinThomas  Thank you for your clear and helpful answer. Your explanation confirms our concerns regarding the potential for I/O bottlenecks and the importance of adhering to the documented dis... See more...
Hi @PrewinThomas  Thank you for your clear and helpful answer. Your explanation confirms our concerns regarding the potential for I/O bottlenecks and the importance of adhering to the documented disk layout. Based on your advice, we will coordinate with our infrastructure team to provision the required separate disks and restructure our server to align with the best practices for a production environment. I appreciate your expertise. Best regards, Zake
Oh thankyou. so thats just point the bucket like the sample right?
@PickleRick Thank you for the info! That may explain why some of the fields are not showing up in interesting fields. Though I can see as in my screenshot that there is only 1 "timestamp" field in my... See more...
@PickleRick Thank you for the info! That may explain why some of the fields are not showing up in interesting fields. Though I can see as in my screenshot that there is only 1 "timestamp" field in my JSON and it has value, so I'm still not sure where is the "none" coming from.
@zksvc  The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation. ... See more...
@zksvc  The recommendation is to use separate physical disks (e.g., /dev/sdb and /dev/sdc) for mount points like /var/vcap1 and /var/vcap2 is primarily driven by I/O performance and data isolation. For complete production use, I wont recommend due to potential I/O bottlenecks. Also it may not be supported by Splunk Support if performance issues arise. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
It's  hard to say without knowing your full config. Anyway, answering your earlier question, the "interesting fields" section shows only fields for which there is a value in at least some part of yo... See more...
It's  hard to say without knowing your full config. Anyway, answering your earlier question, the "interesting fields" section shows only fields for which there is a value in at least some part of your all events (don't remember the threshold - 10%? 15%?). So if you have a field which appears in just 3% of your search results it will not be listed under interesting fields. One more thing, if you have a value of "none" for your timestamp field it means that it has been explicitly assigned this value. If there is no value there's just no value. "none" in this case is a string saying "none".
@splunklearner  Your XML contains empty sections which is throwing warnings. try below to highlight message and drop down samples. <form version="1.1" theme="light"> <label>Dashboard</label> ... See more...
@splunklearner  Your XML contains empty sections which is throwing warnings. try below to highlight message and drop down samples. <form version="1.1" theme="light"> <label>Dashboard</label> <!-- NOTICE PANEL FIRST --> <row> <panel> <html> <style> .notice-box { background-color: #fff3cd; border-left: 4px solid #ffa500; padding: 10px 15px; font-family: Arial, sans-serif; font-size: 13px; margin-bottom: 10px; border-radius: 4px; } .notice-box h3 { color: #d9534f; margin: 0 0 5px 0; font-size: 12px; } </style> <div class="notice-box"> <h3>⚠️ Performance Notice</h3> <p><strong>Please avoid selecting long time ranges</strong> (e.g., <em>Last 30 days</em>) unless absolutely necessary, as it may impact dashboard performance.</p> <p>Make sure to choose your <strong>Index Name</strong> to begin viewing data.</p> </div> </html> </panel> </row> <!-- DROPDOWNS IN SEPARATE ROW --> <row> <panel> <input type="dropdown" token="index_tok" searchWhenChanged="false"> <label>Select Index</label> <choice value="main">main</choice> <choice value="other">other</choice> </input> <input type="time" token="time_tok" searchWhenChanged="false"> <label>Select Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </panel> </row> <!-- SEARCH AND RESULTS --> <search id="base_search"> <query>index=$index_tok$ ...</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <!-- Add your result panels here --> </form>
Thank you. Giving your karma points
try below, <form version="1.1" theme="light"> <label>Dashboard</label> <!-- NOTICE PANEL FIRST --> <row> <panel> <html> <style> .notice-box { backgroun... See more...
try below, <form version="1.1" theme="light"> <label>Dashboard</label> <!-- NOTICE PANEL FIRST --> <row> <panel> <html> <style> .notice-box { background-color: #fff3cd; border-left: 4px solid #ffa500; padding: 10px 15px; font-family: Arial, sans-serif; font-size: 13px; margin-bottom: 10px; border-radius: 4px; } .notice-box h3 { color: #d9534f; margin: 0 0 5px 0; font-size: 12px; } </style> <div class="notice-box"> <h3>⚠️ Performance Notice</h3> <p><strong>Please avoid selecting long time ranges</strong> (e.g., <em>Last 30 days</em>) unless absolutely necessary, as it may impact dashboard performance.</p> <p>Make sure to choose your <strong>Index Name</strong> to begin viewing data.</p> </div> </html> </panel> </row> <!-- DROPDOWNS IN SEPARATE ROW --> <row> <panel> <input type="dropdown" token="index_tok" searchWhenChanged="false"> <label>Select Index</label> <choice value="main">main</choice> <choice value="other">other</choice> </input> <input type="time" token="time_tok" searchWhenChanged="false"> <label>Select Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </panel> </row> <!-- SUBMIT BUTTON IN ITS OWN ROW --> <row> <panel> <fieldset submitButton="true" autoRun="false"/> </panel> </row> <!-- SEARCH AND RESULTS --> <search id="base_search"> <query>index=$index_tok$ ...</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <!-- Add your result panels here --> </form> Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@elend  As @richgalloway  mentioned, This is exactly what SmartStore is designed for. Hot buckets stay on local disk for fast ingestion and search and warm buckets are offloaded to remote storage ... See more...
@elend  As @richgalloway  mentioned, This is exactly what SmartStore is designed for. Hot buckets stay on local disk for fast ingestion and search and warm buckets are offloaded to remote storage (e.g., S3). #https://docs.splunk.com/Documentation/SVA/current/Architectures/SmartStore Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
I have one more problem here.. I want importance notice to be on the top. But here dropdowns are o n top. Tried to create a role and panel for dropdowns so that they will come below notice message bu... See more...
I have one more problem here.. I want importance notice to be on the top. But here dropdowns are o n top. Tried to create a role and panel for dropdowns so that they will come below notice message but I am not able to give submit button clearly. Can someone help me with this?  
<form version="1.1" theme="light"> <!-- Dashboard Name --> <label>Dashboard</label> <!-- Search Panel BEGIN --> <!-- Search Panel END --> <!-- Table BEGIN --> <row> <panel> <htm... See more...
<form version="1.1" theme="light"> <!-- Dashboard Name --> <label>Dashboard</label> <!-- Search Panel BEGIN --> <!-- Search Panel END --> <!-- Table BEGIN --> <row> <panel> <html> <div style=" background: linear-gradient(120deg,#fff5f5 0%,#fff 100%); border-left: 6px solid #ff9800; box-shadow: 0 2px 6px rgba(0,0,0,.12); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 1.45;"> <h3 style="color:#d84315; margin:0 0 8px 0; display:flex; align-items:center;"> <!-- unicode icon (search engine–friendly, scales with text size) --> <span style="font-size:32px; margin-right:12px;">⚠️</span> Important Notice </h3> <p style="margin:0 0 10px 0; color:#424242;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. Use shorter ranges for faster results. </p> <p style="margin:0; color:#424242;"> Please ensure an <strong>Index Name</strong> is selected - this is required to load dashboard data. </p> </div> </html> </panel> </row> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="index"> <label>Enter your Index Name</label> <fieldForLabel>index</fieldForLabel> <fieldForValue>index</fieldForValue> <search> <query> ------ |stats count by index</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> </search> </input> <input type="text" token="support_id_tok" searchWhenChanged="false"> <label>Enter support_id</label> </input> <input type="time" token="time_range" searchWhenChanged="false"> <label>Select time range</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <html> <a class="btn btn-primary pull-left" href="/app/search/------">Reset</a> </html> </panel> </row> <row depends="$support_id_tok$"> <panel> <html> <div style="display: flex; justify-content: space-between; border-bottom: 1px solid #ccc; padding-bottom: 5px; padding-right: 150px; margin-bottom: 10px;"> -------------Rest of the dashboard------------------
@abhi04  Try to include Status field explicitly, index=xxxxx source="yyyyy" | eval UpStatus=if(Status=="up",1,0) | stats last(UpStatus) as val, latest(Status) as Status by Instance host Regards, ... See more...
@abhi04  Try to include Status field explicitly, index=xxxxx source="yyyyy" | eval UpStatus=if(Status=="up",1,0) | stats last(UpStatus) as val, latest(Status) as Status by Instance host Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!