All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

How can we fix this error ?
"I need to create a dashboard with two queries in one dashboard, one query having a fixed time range of "Today" and the other query needs to select "earliest and latest" from the drop down. The data ... See more...
"I need to create a dashboard with two queries in one dashboard, one query having a fixed time range of "Today" and the other query needs to select "earliest and latest" from the drop down. The data dropdown will have two values "Yesterday" and "last week". Last week is the day from last week (if today is Feb 13, last week should show data from Feb Feb 06)" for.eg  index="abc" sourcetype="Prod_logs" | stats count(transactionId) AS TotalRequest (***earliest and latest needs to be derived as per user selection from drop down) | appendcols [search index="abc" sourcetype="Prod_logs" earliest=@d  latest=now (****Today's data****) | stats count(transactionId) AS TotalRequest]      
This works perfectly fine.
And with the update to Splunk Enterprise 9.2.0 the issue came back again :-(.
I am currently working on it too. I have found this general documentation that deals with Splunk-BMC helix integration.  https://docs.bmc.com/docs/intelligentintegrations/222/integrating-with-splunk-... See more...
I am currently working on it too. I have found this general documentation that deals with Splunk-BMC helix integration.  https://docs.bmc.com/docs/intelligentintegrations/222/integrating-with-splunk-enterprise-1083311397.html.... and let me know if you have made any progress.
Hi @Strangertinz, your search seems to be correct, what's your issue? Ciao. Giuseppe
Hi @nithin204, what's the error you have? anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation f... See more...
Hi @nithin204, what's the error you have? anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation for &, you must use &amp;: <link>search?q=$drilldown_srch?earliest=$field1.earliest$&amp;latest=$field1.latest$|u$</link> Ciao. Giuseppe
Hi All,    I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard    <form version="1.1"> <label>test12</lab... See more...
Hi All,    I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard    <form version="1.1"> <label>test12</label> <fieldset submitButton="false"> <input type="time" token="field1"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>test12</title> <table> <search> <query>index=_internal status=* sourcetype=splunkd |lookup test12 name AS status OUTPUT value | stats count by value</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <set token="drilldown_srch">index=_internal status=* sourcetype=splunkd |lookup test12.csv name as status output value | where value=$row.value$</set> <link>search?q=$drilldown_srch|u$</link> </drilldown> </table> </panel> </row> </form> I tried adding the time variables in the link as below but no luck <link>search?q=$drilldown_srch?earliest=$field1.earliest&latest=$field1.latest$|u$</link> Thanks
Hello, this app was working fine for me until I updated to Splunk Enterprise 9.1.2, whereupon the urllib library keeps making errors where it does not understand HTTPS. From some rudimentary googling... See more...
Hello, this app was working fine for me until I updated to Splunk Enterprise 9.1.2, whereupon the urllib library keeps making errors where it does not understand HTTPS. From some rudimentary googling, it appears this may be related to the Splunk python urllib library not being compiled to use SSL. Would it be possible to refactor this app to use the http request helper functions?             bash-4.2$ /opt/splunk/bin/python3 getSplunkAppsV1.py Traceback (most recent call last): File "getSplunkAppsV1.py", line 92, in <module> main() File "getSplunkAppsV1.py", line 87, in main for app_json in iterate_apps(app_func): File "getSplunkAppsV1.py", line 76, in iterate_apps data = get_apps(limit, offset, app_filter) File "getSplunkAppsV1.py", line 35, in get_apps data = json.load(urllib.request.urlopen(url)) File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open response = self._open(req, data) File "/opt/splunk/lib/python3.7/urllib/request.py", line 548, in _open 'unknown_open', req) File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain result = func(*args) File "/opt/splunk/lib/python3.7/urllib/request.py", line 1420, in unknown_open raise URLError('unknown url type: %s' % type) urllib.error.URLError: <urlopen error unknown url type: https>         (The same error is produced when I use python version 2)
Dears,           I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.   [indexAndForward] in... See more...
Dears,           I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server.   [indexAndForward] index = true selectiveIndexing = true     You can see below URL:   Upgrade pre-9.2 deployment servers - Splunk Documentation
@wvalente2  Are you looking for this? https://community.splunk.com/t5/Splunk-Dev/Table-row-expansion-with-dynamic-search-in-the-JS/m-p/561412 Please share more details of your requirements in case... See more...
@wvalente2  Are you looking for this? https://community.splunk.com/t5/Splunk-Dev/Table-row-expansion-with-dynamic-search-in-the-JS/m-p/561412 Please share more details of your requirements in case you need more details.   Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated. 
Hi, Did you open case with Splunk support about this issue, I already opened still Splunk support trying to resolve it.   Best Regards,
Steps to regenerate the SSL certificate for your Splunk instance running on Windows. Follow these instructions: Check if the Certificate Has Expired: ##################################### Open a c... See more...
Steps to regenerate the SSL certificate for your Splunk instance running on Windows. Follow these instructions: Check if the Certificate Has Expired: ##################################### Open a command prompt or PowerShell window. Navigate to your Splunk installation directory (usually C:\Program Files\splunk\bin). Run the following command to check the certificate expiration date: openssl x509 -enddate -noout -in "C:\Program Files\splunk\etc\auth\server.pem" If the certificate has expired, proceed to the next step. Backup the Existing Certificate: ################################# Rename the existing certificate file (server.pem) to server.pem.back. You can do this by running: ren "C:\Program Files\splunk\etc\auth\server.pem" server.pem.back Restart Splunk: ############### Restart the Splunk service to regenerate the certificate. Execute the following command: .\splunk restart This action will create a new server.pem file with a renewed certificate. Verify the New Certificate: ########################### Confirm that the new certificate has been generated successfully by checking the expiration date again: openssl x509 -enddate -noout -in "C:\Program Files\splunk\etc\auth\server.pem" How to create and sign your own TLS certificates - Splunk Documentation     
Hi,  I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each of those months Sample query ------------------- index=_internal | bucket _... See more...
Hi,  I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each of those months Sample query ------------------- index=_internal | bucket _time span =1d |eval month=strftime(_time,"%b") | eval day=strftime(_time,"%a") | stats avg(count) as Count max(count) as maximum by month, day
Query: index=abc mal_code=xyz TERM(application) OR (TERM(status) TERM(success)) NOT (TERM(unauthorized) TERM(time) TERM(mostly)) site=SOC |stats count by Srock |stats sum(count) as Success |appendco... See more...
Query: index=abc mal_code=xyz TERM(application) OR (TERM(status) TERM(success)) NOT (TERM(unauthorized) TERM(time) TERM(mostly)) site=SOC |stats count by Srock |stats sum(count) as Success |appendcols [search index=abc mal_code=xyz (TERM(unauthorized) TERM(time) TERM(mostly)) NOT (TERM(status) TERM(success)) site=SOC |stats count by ID |fields ID |eval matchfield=ID |join matchfield [search index=abc mal_code=xyz site=SOC "application" |stats count by Srock |fields Srock |eval matchfield=Srock] |stats count(matchfiled) as Failed] |eval Total=Success+Failed |eval SuccessRate=round(Success/Total*100,2) |table * From the above query i am getting data only for one site. but I want data for both sites SOC and BDC. I tried giving  as site=* its not working Any help would be appreciated.
log line will be 05:02:05.213 Txt 46000 008a456b37de5982_ETC_RFG: (Q056) play this message id:announcement/4637825, duration:58 expecting Table like 008a456b37de5982 ETC RFG 4637825
Thanks Dorowo based on your comment after trying to fix this for hours I found the solution  1, Download agent from https://accounts.appdynamics.com/downloads  2. Run npm install /my/local/path/app... See more...
Thanks Dorowo based on your comment after trying to fix this for hours I found the solution  1, Download agent from https://accounts.appdynamics.com/downloads  2. Run npm install /my/local/path/appdynamics-nodejs-standalone-linux-x64-v21-24.1.0.9734.tgz
Please elaborate on "it doesn't work".  What results are you expecting and what do you get? What is that screenshot intended to show?  I see the name for the second app was mis-entered in app.conf a... See more...
Please elaborate on "it doesn't work".  What results are you expecting and what do you get? What is that screenshot intended to show?  I see the name for the second app was mis-entered in app.conf and that both of the first two apps should have check_for_updates=false.  It's not clear how the screenshot demonstrates anything not working.
I suspect multiple LMs will cause issues. There's no real need for more than a single LM.  If the LM goes away, the clients will continue to function normally for a few days - which should be more t... See more...
I suspect multiple LMs will cause issues. There's no real need for more than a single LM.  If the LM goes away, the clients will continue to function normally for a few days - which should be more than enough time to stand up a new LM.
I can confirm that the checkpoint data is stored in the KV Store on the forwarder.  The checkpoint is the last timestamp retrieved from the Azure REST API.  So if you use a new forwarder, the data wi... See more...
I can confirm that the checkpoint data is stored in the KV Store on the forwarder.  The checkpoint is the last timestamp retrieved from the Azure REST API.  So if you use a new forwarder, the data will be ingested again (duplicate data).