Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-30-2024
07:35 AM
While creating HEC token through putty by using below command, we are getting error like "Couldn't request server info: Couldn't complete HTTP request: Connection refused". Please provide any info o...
See more...
While creating HEC token through putty by using below command, we are getting error like "Couldn't request server info: Couldn't complete HTTP request: Connection refused". Please provide any info or solution. /opt/splunk/bin/splunk http-event-collector create Appd_Splunk -uri http://<IP>:8089 -description "This is a Appd token" -disabled 1 -index toll_alrt
Labels
- Labels:
-
HTTP Event Collector
01-30-2024
07:32 AM
Panel_1: <set token="V20">$result.value_20$</set> <set token="V40">$result.value_40$</set> <set token="V0">$result.value_0$</set> <set token="V100">$result.value_100$</set> Panel_2: <format...
See more...
Panel_1: <set token="V20">$result.value_20$</set> <set token="V40">$result.value_40$</set> <set token="V0">$result.value_0$</set> <set token="V100">$result.value_100$</set> Panel_2: <format type="color" field=">6hrs-<8hrs"> <colorPalette type="expression">case(value<="$V20$", "#006400", value>"$V20$" AND value<="$V40$", "#ffb200", value>"$V40$", "#800000")</colorPalette> </format> <format type="color" field=">8hrs-<10hrs"> <colorPalette type="expression">case(value<="$V20$", "#006400", value>"$V20$" AND value<="$V40$", "#ffb200", value>"$V40$", "#800000")</colorPalette> </format> <format type="color" field=">10hrs-<12hrs"> <colorPalette type="expression">case(value<="$V20$", "#006400", value>"$V20$" AND value<="$V40$", "#ffb200", value>"$V40$", "#800000")</colorPalette> </format> <format type="color" field=">12hrs-<14hrs"> <colorPalette type="expression">case(value<="$V20$", "#006400", value>"$V20$" AND value<="$V40$", "#ffb200", value>"$V40$", "#800000")</colorPalette> </format> <format type="color" field=">14hrs-<16hrs"> <colorPalette type="expression">case(value<="$V20$", "#006400", value>"$V20$" AND value<="$V40$", "#ffb200", value>"$V40$", "#800000")</colorPalette> </format> The above is Scenario, i have created the tokens from the Panel_1 result and passing those tokens into the Colorpalette expression to highlight the cells dynamically. But i can't able to reach the desired output. How can i reach the desired output?
Labels
- Labels:
-
panel
01-30-2024
07:30 AM
The issue occurred due to permission restrictions. Thanks, it is resolved. @richgalloway
01-30-2024
07:09 AM
that looks great, thank you PickleRick! I modified it to "| foreach val1 val2" to avoid "Failed to parse templatized search for field 'previous_val1'" error. I need some time to adapt it to my real...
See more...
that looks great, thank you PickleRick! I modified it to "| foreach val1 val2" to avoid "Failed to parse templatized search for field 'previous_val1'" error. I need some time to adapt it to my real search, I'll get back
01-30-2024
07:02 AM
1 Karma
We upgraded the UF to v 9.0.6 and it solved our issue https://docs.splunk.com/Documentation/Splunk/9.0.6/ReleaseNotes/Fixedissues#Windows-specific_issues
01-30-2024
07:01 AM
Hi @gcusello No, that is just an example. I don't actually have the characters "METRIC_NAME" in my data. METRIC_NAME can be anything from "CPU usage" to "paychek value" or whatever. That's why I tr...
See more...
Hi @gcusello No, that is just an example. I don't actually have the characters "METRIC_NAME" in my data. METRIC_NAME can be anything from "CPU usage" to "paychek value" or whatever. That's why I tried TIME_PREFIX = \S+\s\S+\s at first. I'll edit the examples in my original post to avoid misunderstandings
01-30-2024
07:00 AM
The IN operator expects a parenthesized list of values. The if function is not valid in the search command so, no this will not work.
01-30-2024
06:58 AM
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. ...
See more...
I want to download the trial version of Splunk Enterprise. Managed to register it. Whenever I try to login to Splunk.com, it keep showing 403 error. I tried with both Chrome and Firefox, same error. Both browser are latest version. I already tried following When I clicked on Login, it will redirect to following and shown 403 error https://www.splunk.com/saml/login?module=nav&redirecturl=https://www.splunk.com/ Windows 11 (updated with latest MS patches) and home network - rebooted the laptop and router - Clear cache of browsers - Added www.splunk.com to trusted zone - Disabled Windows Firewall - Disabled AV Anything else I should be checking?
01-30-2024
06:56 AM
Hi @tommasoscarpa1, sorry I didn't see it! Anyway, if before the timestamp in epochtime you always have METRIC_NAME , you could try TIME_PREFIX = METRIC_NAME\s+
TIME_FORMAT = %s Ciao. Giuseppe
01-30-2024
06:55 AM
Try now. I "fixed" it but I overthought it so I "fixed it back".
01-30-2024
06:53 AM
2 Karma
By default, a subsearch returns its results as a formatted string. Run the subsearch by itself with | format appended to see what it looks like. A workaround may be to use the return command instea...
See more...
By default, a subsearch returns its results as a formatted string. Run the subsearch by itself with | format appended to see what it looks like. A workaround may be to use the return command instead of table. main search| eval onerowevent=if(like(onerowevent,, "%".[search [| inputlookup blabla.csv| <whatever_condition_to_make_onecompare_field>|return $onecompare }]."%"]])),onerowevent,"")
01-30-2024
06:53 AM
Hi Giuseppe. I've added an example in my original post
01-30-2024
06:47 AM
Hi @tommasoscarpa1, could you share a sample of your logs? Ciao. Giuseppe
01-30-2024
06:47 AM
Perhaps the app didn't download at all. Try again or use a different browser.
01-30-2024
06:45 AM
something is missing here, there aren't any values in the column "changed"
01-30-2024
06:44 AM
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue> These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to se...
See more...
Hello, I have events in this format: <servername> <metricname> <epochtime> <metricvalue> These events comes from HEC to an heavy forwarder and are then forwarded to indexers. I would like to set Splunk to recognize <epochtime> as the event timestamp. <servername> and <metricname> are alphanumerical words with no whitespaces inside, while <metricvalue> is numerical. <epochtime> is a 10 digits, integer epoch time. I've set up props.conf file on heavy forwarder as follows: [sourcetypename] TIME_FORMAT = %s But events are not indexed with the correct timestamp. I also tried to add this property: TIME_PREFIX = \S+\s\S+\s But no luck. Can you help me understand what am I doing wrong? EDIT---- Log example: mywebserver123 SOME_METRIC 1706569460 5 myotherwebserver456.domain.com ANY_OTHER_NAME 1706569582 3
Labels
- Labels:
-
HTTP Event Collector
-
props.conf
-
time
01-30-2024
06:12 AM
Not using that add-on, but looks to me that: it is because the custom command is trying to sort the results before returning. you will notice that it it will probably work if you only pipe 1 eve...
See more...
Not using that add-on, but looks to me that: it is because the custom command is trying to sort the results before returning. you will notice that it it will probably work if you only pipe 1 event into the command. easy way out: remove results.sort() from the custom command hoping they fix the add-on for you
01-30-2024
06:07 AM
1 Karma
Hi @SplunkDash , I don't know why, but the form adds a part to the address. remove all the chars after 742 in the url address. or go in apps.splunk.com and search Splunk Add-On for Windows. Ciao....
See more...
Hi @SplunkDash , I don't know why, but the form adds a part to the address. remove all the chars after 742 in the url address. or go in apps.splunk.com and search Splunk Add-On for Windows. Ciao. Giuseppe
01-30-2024
06:06 AM
Thanks for your quick response @richgalloway I have already tried that, and it doesn't show me any folder where it is saved. I check my local machine too unable to locate the same.
01-30-2024
06:04 AM
See my response from this thread https://community.splunk.com/t5/Splunk-Search/Tracking-Field-Changes-in-Events/m-p/675494/highlight/true#M231114
