All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector ... See more...
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector JDBC driver jar mysql-X.jar file needs to be renamed with a compatible driver file under <DBAgent_install_dir>/lib/ folder. We will need to stop DB agent java process and replace current JDBC driver for MySQL in agent lib folder with compatible JDBC driver and start agent again, see if that information helps. Refer to the forum link below  https://stackoverflow.com/questions/37348572/new-mysql-driver-causes-java-sql-sqlnontransientconnectionexception-client-plug
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of User  
Assuming dvc is the ip address you mentioned and duration is reset to 1 after determining a range, how can the max be anything other than 1?
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtu... See more...
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtualization environment like VMware? r. Ismo
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  
I assume by break into single lines you mean expand to multiple events? | rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>" | mvexpand computer
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration)... See more...
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration) by dvc
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Set your anchors either side of the field extraction | rex "duser=(?<User>.*?) dvc"
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.    
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspec... See more...
We are in the midst of a virtualization project, and we are looking for a way to sanity check all the different components. I know that the MC does some of it, but I’m not sure if it covers all aspects. I’m thinking about scripted input, and a dedicated dashboard to monitor and verify all the settings. Do you have any other suggestions, by any chance?
Hello, I put Table 1 into CSV file called "StudentRank.csv" and tried to use subsearch, it didn't seem to work See below: index=student [search | inputlookup StudentRank.csv | head 2 | table ... See more...
Hello, I put Table 1 into CSV file called "StudentRank.csv" and tried to use subsearch, it didn't seem to work See below: index=student [search | inputlookup StudentRank.csv | head 2 | table StudentID] I also tried to use appendpipe or append, it worked but it showed all students in CSV table (4 student) | append [ | inputlookup StudentRank.csv | head 2 | table StudentID] My goal is similar to | search StudentID=101    ..  repeat until StudentID=102     (N out of Total, in this example, 2 out of 4) The second search is a lot of details Is it possible to pass a token in a scheduled search like when pass a token from a dropdown selection box in Splunk dashboard? Thank you!!
1
Hi, It is possible to generate these types of custom command line metrics using the "smartagent/exec" receiver. https://docs.splunk.com/observability/en/gdi/monitors-databases/exec-input.html It... See more...
Hi, It is possible to generate these types of custom command line metrics using the "smartagent/exec" receiver. https://docs.splunk.com/observability/en/gdi/monitors-databases/exec-input.html It can be tricky to get the format and approach just right, so here are some tips: 1) Put your command in an external script so it's easier to format the output in an acceptable format and it's also easier to format the call from your receiver. The default format is "influx", so an example of the output you want to generate would look like this: printerqueue,printer=myprinter length=5 That output would generate a metric named "printerqueue.length" with a value of 5 and a tagname of "printer" and a tagvalue of "myprinter". Your external script might look like this: #!/bin/sh echo printerqueue,printer=myprinter length=$(lpstat -o | wc -l) 2) You'll need to define a receiver in your OTel config (e.g. agent_config.yaml) receivers: smartagent/exec: type: telegraf/exec command: "/PATH/TO/printerqueue_script.sh" telegrafParser: dataFormat: "influx"   3) Don't forget to place your new receiver in your metrics pipeline and restart your OTel collector: service: pipelines: metrics: receivers: [hostmetrics, otlp, signalfx, smartagent/signalfx-forwarder, smartagent/exec]  
Add the operating system to the list of values returned by stats rather than as one of the group-by options. | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_ev... See more...
Add the operating system to the list of values returned by stats rather than as one of the group-by options. | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events, values(operatingSystem as operatingSystems BY host  
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval ... See more...
My current search is -    | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, operatingSystemVersion | eval host = coalesce(host, cn)] | fillnull value="0" total_events | stats sparkline(sum(event_count)) AS event_count_sparkline sum(event_count) AS total_events BY host How do I get operatingSystem to display in my table?   When I add it to the end of my search BY host, operatingSystem my stats break in the table.