All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @yuanliu  What you wrote is similar to my situation.  I solve this problem using different way (Notice that this wasn't the way to go). But your answer made me aware of factors to think abou... See more...
Hello @yuanliu  What you wrote is similar to my situation.  I solve this problem using different way (Notice that this wasn't the way to go). But your answer made me aware of factors to think about. Thank you for your helping!
Hello Experts, Just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether cen we detect ORA-00600 error via AppD Db agent? Please... See more...
Hello Experts, Just want to have clarity on below points. 1. Is AppD Db agent capable of detecting Ora errors in Oracle DB? 2.If yes whether cen we detect ORA-00600 error via AppD Db agent? Please let us know the process for the same.
Hello,  I need to exclude and prevent the ingestion of data when these events occur. Im using the TA_Linux and this event is the /var/log/audit/audit.log Can you help me? node=MXSPL1VMV803 type=S... See more...
Hello,  I need to exclude and prevent the ingestion of data when these events occur. Im using the TA_Linux and this event is the /var/log/audit/audit.log Can you help me? node=MXSPL1VMV803 type=SYSCALL msg=audit(1707180153.753:128962293): arch=c000003e syscall=87 success=yes exit=0 a0=7fb15c2fae20 a1=7fb0ea759e80 a2=7fb15c2fae20 a3=7fb1c0097b71 items=2 ppid=1 pid=1990 auid=3001 uid=3001 gid=3001 euid=3001 suid=3001 fsuid=3001 egid=3001 sgid=3001 fsgid=3001 tty=(none) ses=1 comm="elasticsearch[n" exe="/etc/elasticsearch/opendistroforelasticsearch/jdk/bin/java" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="delete-successful"   Regards
The Config page in my TA-dmarc app is not loading after migration...
Hi Ryan,  I would like to know what specifically do I have to do in order to excede the page excluding limit for Ajax on a SAAS controller  The reason why I am asking this is because I am recieving... See more...
Hi Ryan,  I would like to know what specifically do I have to do in order to excede the page excluding limit for Ajax on a SAAS controller  The reason why I am asking this is because I am recieving a error message on the controller that states Failed to exclude the Request. I have excluded Ajax Page requests before however I am not quite able to exclude anymore  on the same controller Regards, Shashwat 
Hi all, I need to clarify the correlation searches within SOAR. Is there any way to identify them?
@richgalloway , Hi When I manually execute the search, I noticed that by excluding the last line from the search query, I am able to visualize the critical events successfully. Nevertheless, despit... See more...
@richgalloway , Hi When I manually execute the search, I noticed that by excluding the last line from the search query, I am able to visualize the critical events successfully. Nevertheless, despite this observation, it's worth noting that there are no alerts appearing in the incident review panel dashboard.
Hi, I want to refresh a lookup file daily. How do I do this? My file type is csv and in a file server. Thanks,
Use the addcoltotals command to sum the values and put them into the location field as "ABC". ... | addcoltotals labelfield=location label="ABC"
recently upgraded my splunk HF with Splunk enterprise 9.1 version. Also upgraded Splunk TA add-on for New Relic. Privious TA version 2.1.0 New TA version 2.1.6 after the upgrade TA is not able to ... See more...
recently upgraded my splunk HF with Splunk enterprise 9.1 version. Also upgraded Splunk TA add-on for New Relic. Privious TA version 2.1.0 New TA version 2.1.6 after the upgrade TA is not able to make api call to new relic and failing with error invalid api key. I confirmed the api key is correct and I am able to call it feom other client.
I found this:  Migrate a Splunk Enterprise instance from one physical machine to another - Splunk Documentation   I will give it a try. Leo
Error rate and Target - need to display Target number for latest week. only Hi, I have results for Error rate and Target for last 12 weeks and in visualization Target numbers are interfering wit... See more...
Error rate and Target - need to display Target number for latest week. only Hi, I have results for Error rate and Target for last 12 weeks and in visualization Target numbers are interfering with the error rate in the graph above.  any way to project Target for only latest week from 12 weeks data and project the green line for 12 weeks ? so, it wont interfere with the error rate numbers. Splunk quire below.  index=equipment_error reporttype=p_scada description="No case found with the expected dimensions" OR description="Flight Path Occupied" OR description="Place Position Occupied" OR description="Tray pattern does not comply" AND mark_code=TPO earliest=-12w@w1 latest=-0@w1 | eval APAL=substr(isc_id,2,2) | append [| search index=internal_statistics_1h earliest=-12w@w1 latest=-0w@w1 [| inputlookup internal_statistics | where report="Throughput" AND level="step" AND step="Pallet building" AND measurement IN("Case") | fields id | rename id AS statistic_id] | eval value=coalesce(value,sum_value) | fields statistic_id value group_name location | eval _virtual_=if(isnull(virtual),"N","Y"),_cd_=replace(_cd, ".*:", "") | sort 0 -_time _virtual_ -"_indextime" -_cd_ | dedup statistic_id _time group_name | fields - _virtual_ _cd_ | lookup internal_statistics id AS statistic_id OUTPUTNEW report level step measurement | eval location=substr(location,12) , location="CaseQty".location | timechart span=1w@1 sum(value) BY location limit=0 | addtotals] | timechart span=1w@1 count(isc_id) as ErrorQty sum(Total) as CaseQty values(mark_code) as mark_code | eval ErrorRate=round((ErrorQty/CaseQty)*10000,1) | fillnull value=0 | eval Target="5" | table _time ErrorRate Target | where ErrorRate>0.001 Appreciate help and Thanks in Advance     
I want to query the user dataset using the from datamodel command. I know how to use nodename in the tstat command. When I run SPL as shown below, an error appears. | from datamodel: test_01... See more...
I want to query the user dataset using the from datamodel command. I know how to use nodename in the tstat command. When I run SPL as shown below, an error appears. | from datamodel: test_01.evtid.user If you know how, please reply.
Hi Splunk experts, I’m a Splunk beginner. I need help with a requirement. I have fields named 'location,' 'login,' and 'desk' with the following values:   location  login  desk AA             1  ... See more...
Hi Splunk experts, I’m a Splunk beginner. I need help with a requirement. I have fields named 'location,' 'login,' and 'desk' with the following values:   location  login  desk AA             1       0 BB             1       0 CC             0       10 DD             1       1 EE             0       1     My goal is to create a new location called 'ABC,' which should be the sum of all four locations (AA, BB, CC, DD). I've tried the following search, but it's not summing up all four locations:   | appendpipe [search AA BB CC DD | eval location=“ABC”] | stats sum(login) as login by desk   Please guide me on how to achieve this. Thank you.    
You'd have to restart the forwarder service after logrotate. (Because I assume that's what you're using). Just like normally you kill -HUP your syslog daemon.
Hi @ITWhisperer  Sorry must have forgotten to ask the question lol Is there a way to make the dashboard react to the scenario below? I have 3 panels for dropdown menu. if A is selected  p... See more...
Hi @ITWhisperer  Sorry must have forgotten to ask the question lol Is there a way to make the dashboard react to the scenario below? I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if B is selected Panel 1 shows Search B  Panel 2 Disappear Panel 3 Disappear if C is selected Panel 1 shows Search C Panel 2 Disappear  Panel 3 Disappear if D is selected Panel 1 shows Search D Panel 2 Disappear  Panel 3 Disappear This is what I have so far that doesn't seem to work as expected <input type="dropdown" token="tokenSearchOption1" searchWhenChanged="true"> <label>Sources</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <condition value="A"> <set token="tokenSearchQuery"> index= search query A</set> </condition> <condition value="B"> <set token="tokenSearchQuery">index= search query B</set> </condition> <condition value="C"> <set token="tokenSearchQuery">index=search query C</set> </condition> <condition value="D"> <set token="tokenSearchQuery">index= search query D</set> </condition> </change> <initialValue>"A"</initialValue> </input> </panel> </row> <row> <panel id="URL test"> <title>Title URL</title> <html> <!-- <style> .dashboard-row Title .dashboard-panel h2.panel-title { font-size: 40px !important; text-align:left; font-weight:bold; } </style>--> <center> <style>.btn-primary { margin: 5px 10px 5px 0;font-size: 40px !important; }</style> <a href="URL for a website" target="blank" class="btn btn-primary"> Click here </a> </center> </html> </panel> </row> <row> <panel depends=dropdown A> <title>Magic</title> <table> <search> <query>Index=Run this search when drop down A </query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel>
Is there a way to allow Splunk to refresh and review the new file everytime?
Get your list of unique hosts, append your list of unique hosts from the lookup file twice, use stats to count by host, where the count is only 1, the host is not in the lookup file, where it is 2 it... See more...
Get your list of unique hosts, append your list of unique hosts from the lookup file twice, use stats to count by host, where the count is only 1, the host is not in the lookup file, where it is 2 it is only in the lookup file, where it is 3, it is in both the searched events and the lookup file.
Is there a question here?
Using addinfo gets the time from the time-picker i.e. the global time-picker in this instance, as a epoch time rather than what was selected, for example, if you chose last 5 minutes, the token would... See more...
Using addinfo gets the time from the time-picker i.e. the global time-picker in this instance, as a epoch time rather than what was selected, for example, if you chose last 5 minutes, the token would have "now" as the value for $global.latest$ rather than the epoch time equivalent for the current time. If you want to use bold and other decorations, you might consider markup panels. and you might be able to use token values here.