Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-13-2024
01:43 AM
Your first search filters on SOC, your second search (first in appendcols) filters on SOC, your third search (first in join) filters on SOC - where would BDC come from? Either remove the filter to g...
See more...
Your first search filters on SOC, your second search (first in appendcols) filters on SOC, your third search (first in join) filters on SOC - where would BDC come from? Either remove the filter to get all sites or use (site=SOC OR site=BDC) as your filters
02-13-2024
01:35 AM
Hi @bapun18 , The number of indexers depends on the daily indexed logs, on the number of scheduled searches and active users. how many of them do you have? can your reducted Indexers manage your v...
See more...
Hi @bapun18 , The number of indexers depends on the daily indexed logs, on the number of scheduled searches and active users. how many of them do you have? can your reducted Indexers manage your volume? In my opinion only a Splunk Architect can answer to this question. Ciao. Giuseppe
02-13-2024
01:34 AM
Try something like this <input type="dropdown" token="timeperiod" searchWhenChanged="true">
<label>Select day</label>
<choice value="earliest=-1d@d latest=@d">Yesterday</choice>
...
See more...
Try something like this <input type="dropdown" token="timeperiod" searchWhenChanged="true">
<label>Select day</label>
<choice value="earliest=-1d@d latest=@d">Yesterday</choice>
<choice value="earliest=-7d@d latest=-6d@d">Last week</choice>
</input> Then use the $timeperiod$ token in your first search
02-13-2024
01:31 AM
Hi @briancronrath , as @richgalloway said, License Manager, as the other Splunk management consoles aren't Single Point of Failuer because the infrastructure will continue to run even if the License...
See more...
Hi @briancronrath , as @richgalloway said, License Manager, as the other Splunk management consoles aren't Single Point of Failuer because the infrastructure will continue to run even if the License Manager is down. You eventually can have a turned off copy in a disaster recovery site, if the down is longer but it isn't mandatory. Ciao. Giuseppe
02-13-2024
01:27 AM
Hi @Gauri, in the dropdown list insert the following fixed choices: earliest=-d@d
earliest=-w@w then in the search use the dropdown token: index="abc" sourcetype="Prod_logs" $token$ latest=now
| ...
See more...
Hi @Gauri, in the dropdown list insert the following fixed choices: earliest=-d@d
earliest=-w@w then in the search use the dropdown token: index="abc" sourcetype="Prod_logs" $token$ latest=now
| eval day=if(strftime(_time,"%Y-%m-%d")=strftime(now(),"%Y-%m-%d"),"Today","Previous")
| stats count(transactionId) AS TotalRequest BY day Ciao. Giuseppe
02-13-2024
01:23 AM
You are not really giving us sufficient information. The rex command that @bowesmana provided extracts the alphanumeric and numeric as you asked. Your "table" doesn't identify what the columns are ca...
See more...
You are not really giving us sufficient information. The rex command that @bowesmana provided extracts the alphanumeric and numeric as you asked. Your "table" doesn't identify what the columns are called. Are ETC and RFG fixed non-varying constant strings? Do these need to be in separate fields in the table? Please clarify your requirement, although, tbh, you already appear to have been given a workable solution.
02-13-2024
01:00 AM
How can we fix this error ?
02-13-2024
12:49 AM
"I need to create a dashboard with two queries in one dashboard, one query having a fixed time range of "Today" and the other query needs to select "earliest and latest" from the drop down. The data ...
See more...
"I need to create a dashboard with two queries in one dashboard, one query having a fixed time range of "Today" and the other query needs to select "earliest and latest" from the drop down. The data dropdown will have two values "Yesterday" and "last week". Last week is the day from last week (if today is Feb 13, last week should show data from Feb Feb 06)" for.eg index="abc" sourcetype="Prod_logs" | stats count(transactionId) AS TotalRequest (***earliest and latest needs to be derived as per user selection from drop down) | appendcols [search index="abc" sourcetype="Prod_logs" earliest=@d latest=now (****Today's data****) | stats count(transactionId) AS TotalRequest]
Labels
- Labels:
-
Classic dashboard
02-13-2024
12:06 AM
This works perfectly fine.
02-12-2024
11:57 PM
And with the update to Splunk Enterprise 9.2.0 the issue came back again :-(.
02-12-2024
11:55 PM
1 Karma
I am currently working on it too. I have found this general documentation that deals with Splunk-BMC helix integration. https://docs.bmc.com/docs/intelligentintegrations/222/integrating-with-splunk-...
See more...
I am currently working on it too. I have found this general documentation that deals with Splunk-BMC helix integration. https://docs.bmc.com/docs/intelligentintegrations/222/integrating-with-splunk-enterprise-1083311397.html.... and let me know if you have made any progress.
02-12-2024
11:53 PM
Hi @Strangertinz, your search seems to be correct, what's your issue? Ciao. Giuseppe
02-12-2024
11:50 PM
Hi @nithin204, what's the error you have? anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation f...
See more...
Hi @nithin204, what's the error you have? anyway the string you're using is correct (I suppose that the second $ was a mistyping), but in the dashboard editor you have to use a different notation for &, you must use &: <link>search?q=$drilldown_srch?earliest=$field1.earliest$&latest=$field1.latest$|u$</link> Ciao. Giuseppe
02-12-2024
10:50 PM
Hi All,
I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard
<form version="1.1">
<label>test12</lab...
See more...
Hi All,
I am trying to pass time variables to the search when I click on a value in drilldown dashbaord. Below is the the source of the dashboard
<form version="1.1">
<label>test12</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label>Time</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>test12</title>
<table>
<search>
<query>index=_internal status=* sourcetype=splunkd
|lookup test12 name AS status OUTPUT value | stats count by value</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown target="_blank">
<set token="drilldown_srch">index=_internal status=* sourcetype=splunkd |lookup test12.csv name as status output value | where value=$row.value$</set>
<link>search?q=$drilldown_srch|u$</link>
</drilldown>
</table>
</panel>
</row>
</form>
I tried adding the time variables in the link as below but no luck
<link>search?q=$drilldown_srch?earliest=$field1.earliest&latest=$field1.latest$|u$</link>
Thanks
Labels
- Labels:
-
Classic dashboard
-
drilldown
02-12-2024
10:09 PM
Hello, this app was working fine for me until I updated to Splunk Enterprise 9.1.2, whereupon the urllib library keeps making errors where it does not understand HTTPS. From some rudimentary googling...
See more...
Hello, this app was working fine for me until I updated to Splunk Enterprise 9.1.2, whereupon the urllib library keeps making errors where it does not understand HTTPS. From some rudimentary googling, it appears this may be related to the Splunk python urllib library not being compiled to use SSL. Would it be possible to refactor this app to use the http request helper functions? bash-4.2$ /opt/splunk/bin/python3 getSplunkAppsV1.py
Traceback (most recent call last):
File "getSplunkAppsV1.py", line 92, in <module>
main()
File "getSplunkAppsV1.py", line 87, in main
for app_json in iterate_apps(app_func):
File "getSplunkAppsV1.py", line 76, in iterate_apps
data = get_apps(limit, offset, app_filter)
File "getSplunkAppsV1.py", line 35, in get_apps
data = json.load(urllib.request.urlopen(url))
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 548, in _open
'unknown_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1420, in unknown_open
raise URLError('unknown url type: %s' % type)
urllib.error.URLError: <urlopen error unknown url type: https> (The same error is produced when I use python version 2)
Labels
- Labels:
-
upgrade
02-12-2024
10:04 PM
17 Karma
Dears, I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server. [indexAndForward] in...
See more...
Dears, I have resolved the issue by adding below configuration under outputs.conf in the deployment server, then restart splunk service in the deployment server. [indexAndForward] index = true selectiveIndexing = true You can see below URL: Upgrade pre-9.2 deployment servers - Splunk Documentation
02-12-2024
09:22 PM
@wvalente2 Are you looking for this? https://community.splunk.com/t5/Splunk-Dev/Table-row-expansion-with-dynamic-search-in-the-JS/m-p/561412 Please share more details of your requirements in case...
See more...
@wvalente2 Are you looking for this? https://community.splunk.com/t5/Splunk-Dev/Table-row-expansion-with-dynamic-search-in-the-JS/m-p/561412 Please share more details of your requirements in case you need more details. Thanks KV If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
02-12-2024
09:18 PM
Hi, Did you open case with Splunk support about this issue, I already opened still Splunk support trying to resolve it. Best Regards,
02-12-2024
09:15 PM
Steps to regenerate the SSL certificate for your Splunk instance running on Windows. Follow these instructions: Check if the Certificate Has Expired: ##################################### Open a c...
See more...
Steps to regenerate the SSL certificate for your Splunk instance running on Windows. Follow these instructions: Check if the Certificate Has Expired: ##################################### Open a command prompt or PowerShell window. Navigate to your Splunk installation directory (usually C:\Program Files\splunk\bin). Run the following command to check the certificate expiration date: openssl x509 -enddate -noout -in "C:\Program Files\splunk\etc\auth\server.pem" If the certificate has expired, proceed to the next step. Backup the Existing Certificate: ################################# Rename the existing certificate file (server.pem) to server.pem.back. You can do this by running: ren "C:\Program Files\splunk\etc\auth\server.pem" server.pem.back Restart Splunk: ############### Restart the Splunk service to regenerate the certificate. Execute the following command: .\splunk restart This action will create a new server.pem file with a renewed certificate. Verify the New Certificate: ########################### Confirm that the new certificate has been generated successfully by checking the expiration date again: openssl x509 -enddate -noout -in "C:\Program Files\splunk\etc\auth\server.pem" How to create and sign your own TLS certificates - Splunk Documentation
02-12-2024
06:04 PM
Hi, I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each of those months Sample query ------------------- index=_internal | bucket _...
See more...
Hi, I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each of those months Sample query ------------------- index=_internal | bucket _time span =1d |eval month=strftime(_time,"%b") | eval day=strftime(_time,"%a") | stats avg(count) as Count max(count) as maximum by month, day
