All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @inventsekar ,   Thanks for replying !  Here is the info :  Splunk Enterprise Version : 8.2.4 Delay : around 10min Kind regards
Please share the source code of your dashboard in a code block </>
Please share some sample anonymised events in code blocks </> to prevent reformatting and the lose of important data.
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you ... See more...
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you have also the history of your data. If you want a table that you can replace every day, you could save the results of your query in a lookup that you recreate every day. Ciao. Giuseppe
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are r... See more...
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are read in near real time. The solution with a script is possible but it makes the same job of the monitor command, so why? Ciao. Giuseppe
Hi @bmanikya , check the regexes. if you share some samples of your logs we could help you. Ciao. Giuseppe
hi @LearningGuy , could you better describe your issue? eventually attaching some screenshot, because I don't understand this behavior. Ciao. Giuseppe
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings:  forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full... See more...
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings:  forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full enterprise splunk   But this seems to work on Universal Forwarder
Hi @scelikok  it works, sorry for the delay. Today I  checked it. Best regards AchimK
How can I create Investigations in Splunk ES using REST APIs and not using Splunk WEB UI.
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If f... See more...
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If found old post, but nobody answered.   Please help.  Thanks https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-Splunk-drilldown-setting-opening-two-tabs-instead-of-one/m-p/602444
Did you ever figure this out? I had the same issue.   Thanks
@gcusello Results are empty for App1 and App2.
Thanks @danielcj , think this is exactly what I needed. Somehow I never came across this when googling and searching around here.
@ITWhisperer @gcusello In Hadoop ResourceManager,  Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference be... See more...
@ITWhisperer @gcusello In Hadoop ResourceManager,  Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference between 2 sub searches in the splunk query.   
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities ... See more...
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities lookup. To configure Assets & Identities in Splunk Enterprise Security, use the following doc: https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Addassetandidentitydata. Also, you could check in Splunk if this identity exists using the identities macro:   | `identities` | search identity=<NAME_IDENTITY>   Thanks.
on that same link, they have given a good search explanation. may i know if you read it.. may i know what confusion you have after reading that, thanks. 
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf  - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOB... See more...
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf  - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOBAL_SETTINGS examples: http://splunkserver:8000, https://splunkserver.example.com:443 Remember to restart your instance after the changes. Thanks. 
Hello @WumboJumbo675 , 1 - Confirm in Splunk Cloud if the internal logs from Heavy Forwarder are being indexed (I believe yes, since you said some logs are correct). If yes, the issue is between U... See more...
Hello @WumboJumbo675 , 1 - Confirm in Splunk Cloud if the internal logs from Heavy Forwarder are being indexed (I believe yes, since you said some logs are correct). If yes, the issue is between UFs > HFs communication. index=_internal host=<host_name_heavy_forwarder> 2 - Confirm if the communication between UFs and HFs is working correctly. Look for ERROR messages or tcpout error messages in the UFs:  $SPLUNK_HOME/var/log/splunk/splunkd.log  3 - Execute a btool check to confirm if there are no syntax errors on the .conf files on UFs: splunk btool check 4 - Check the precedence of the inputs.conf files using btool to confirm that the inputs are being read: splunk btool inputs list --debug 5 - Confirm if there is a "wineventlog" index created in Splunk Cloud.   Let me know if this helps. Thanks.