All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

chart count for comparison

by in Splunk Search
‎01-24-2024 05:17 AM
‎01-24-2024 05:17 AM
Hi, I have the below SPL and I am not able to get the expected results. Please could you help? if i use stats count by - then i'm not getting the expected result as below. SPL: basesearch earlies... See more...
Hi, I have the below SPL and I am not able to get the expected results. Please could you help? if i use stats count by - then i'm not getting the expected result as below. SPL: basesearch earliest=@d latest=now | append [ search earliest=-1d@d latest=-1d] | eval Consumer = case(match(File_Name,"^ABC"), "Down", match(File_Name,"^csd"),"UP", match(File_Name,"^CSD"),"UP",1==1,"Others") | eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | eval percentage_variance=abs(round(((Yesterday-Today)/Yesterday)*100,2)) | table Name Consumer Today Yesterday percentage_variance Expected Result: Name Consumer Today Yesterday percentage_variance TEN UP 10 10 0.0%
Labels

Splunk 9.x Golden Image - RHEL

by in Installation
‎01-24-2024 05:11 AM
‎01-24-2024 05:11 AM
We want to install splunk in our golden image using packer .This is for deploying servers using golden images in Azure for RHEL8 and Ubuntu22. I found documentation for Windows Integrate a univer... See more...
We want to install splunk in our golden image using packer .This is for deploying servers using golden images in Azure for RHEL8 and Ubuntu22. I found documentation for Windows Integrate a universal forwarder onto a system image - Splunk Documentation  Not for RHEL/UBUNTU  Any help appreciated.
Labels

Re: Search Head Cluster Slow performance

by in Monitoring Splunk
‎01-24-2024 05:09 AM
‎01-24-2024 05:09 AM
Hi Everyone, Ours is a small environment with 2SHs and 3 indexers, recently after a resync on the SH cluster i see the below error and the SH seems to be very slow. Is there a way to sort this out? ... See more...
Hi Everyone, Ours is a small environment with 2SHs and 3 indexers, recently after a resync on the SH cluster i see the below error and the SH seems to be very slow. Is there a way to sort this out? This is the error/warning message i see in the  MC and below is the error while running adhoc searches "Gave up waiting for the captain to establish a common bundle version across all search peers; using most recent bundles on all peers instead"  @rbal_splunk  Looks like you have already answered this, can you pls help here

Re: Dynamic lookup file

by in Dashboards & Visualizations
‎01-24-2024 05:07 AM
‎01-24-2024 05:07 AM
@PickleRick  I'm using splunk enterprise. I wasn't sure of the best approach here, sounds like I can use events, not sure how I can go about doing this but I'll do more research. 

is it possible to set a fix configuration for the canvas size?

by in Dashboards & Visualizations
‎01-24-2024 05:06 AM
‎01-24-2024 05:06 AM
Hello, for a dashboard the user want every time when he opens the dashboard that the canvas size is fit to his screen. How can i define this ?
Labels

Re: using different date range but showing the same value

by SplunkTrust in Splunk Search
‎01-24-2024 05:00 AM
‎01-24-2024 05:00 AM
Looks like your search may be wrong - please share the source of your dashboard in a code block

Re: regex to capture the html tags in the raw data

by SplunkTrust in Splunk Cloud Platform
‎01-24-2024 04:50 AM
2 Karma
‎01-24-2024 04:50 AM
2 Karma
Rather than extract everything *except* the tags, why not remove the tags and keep what's left? | rex mode=sed "s/\<[^\>]+>//g"

Re: Unable to access Global Account Credentials in Add-on builder

by in Splunk Enterprise
‎01-24-2024 04:36 AM
‎01-24-2024 04:36 AM
For those, who are still trying to find a solution to this problem.. It's very simple, just go back one step and on the page with "Data Input Parameters" add one field of the type "Global Account". ... See more...
For those, who are still trying to find a solution to this problem.. It's very simple, just go back one step and on the page with "Data Input Parameters" add one field of the type "Global Account". This is required for each input configured in the add-on.

Slack Notification alert failing with Error code 1

by in Alerting
‎01-24-2024 04:34 AM
‎01-24-2024 04:34 AM
      01-24-2024 10:24:31.312 +0000 WARN sendmodalert [3050674 AlertNotifierWorker-0] - action=slack - Alert action script returned error code=1 01-24-2024 10:24:31.312 +0000 INFO sendmodalert [... See more...
      01-24-2024 10:24:31.312 +0000 WARN sendmodalert [3050674 AlertNotifierWorker-0] - action=slack - Alert action script returned error code=1 01-24-2024 10:24:31.312 +0000 INFO sendmodalert [3050674 AlertNotifierWorker-0] - action=slack - Alert action script completed in duration=96 ms with exit code=1 01-24-2024 10:24:31.304 +0000 FATAL sendmodalert [3050674 AlertNotifierWorker-0] - action=slack STDERR - Alert action failed 01-24-2024 10:24:31.304 +0000 INFO sendmodalert [3050674 AlertNotifierWorker-0] - action=slack STDERR - Slack API responded with HTTP status=200 01-24-2024 10:24:31.304 +0000 INFO sendmodalert [3050674 AlertNotifierWorker-0] - action=slack STDERR - Using configured Slack App OAuth token: xoxb-XXXXXXXX 01-24-2024 10:24:31.304 +0000 INFO sendmodalert [3050674 AlertNotifierWorker-0] - action=slack STDERR - Running python 3 01-24-2024 10:24:31.212 +0000 INFO sendmodalert [3050674 AlertNotifierWorker-0] - Invoking modular alert action=slack for search="Updated Testing Nagasri Alert" sid="scheduler_xxxxx__RMDxxxxxxx" in app="xxxxx" owner="xxxx" type="saved"       I have done the entire setup correctly , created an app with chat:write scope and added the channel to the app. got the oauth token and the webhook link of the channel. But the sendalert is failing with error code 1. And the git "slack-alerts/src/app/README.md at main · splunk/slack-alerts (github.com)" , doesnt mention about it.  Is it an issue from Splunk end or Slack end? What would be the fix for it?  
Labels

using different date range but showing the same value

by in Splunk Search
‎01-24-2024 04:09 AM
‎01-24-2024 04:09 AM
When I was searching  for the different data ranges in my Splunk dashboard it showed the same, for example, i am selecting 1/1/2024 to 1/10/2024 and  1/3/2024 to 1/4/2024 and i am adding this query... See more...
When I was searching  for the different data ranges in my Splunk dashboard it showed the same, for example, i am selecting 1/1/2024 to 1/10/2024 and  1/3/2024 to 1/4/2024 and i am adding this query earliest=-7d@d latest=+1d but when removed these values do not match  Please help out with this
Labels

Re: Slack notification error code 1

by in Getting Data In
‎01-24-2024 04:08 AM
‎01-24-2024 04:08 AM
Error Message : WARN sendmodalert [3050674 AlertNotifierWorker-0] - action=slack - Alert action script returned error code=1   Even I am getting the same error, Was this resolved? What was the fix?... See more...
Error Message : WARN sendmodalert [3050674 AlertNotifierWorker-0] - action=slack - Alert action script returned error code=1   Even I am getting the same error, Was this resolved? What was the fix? What does this error mean? No documentation in git link as well.

Solaris SPARC server integration with Splunk

by in Getting Data In
‎01-24-2024 03:51 AM
‎01-24-2024 03:51 AM
Hi All, I need to collect system metrics and monitor local files on Solaris servers. I'm considering installing the Universal Forwarder (UF) and utilizing the Splunk add-on for Unix to collect sys... See more...
Hi All, I need to collect system metrics and monitor local files on Solaris servers. I'm considering installing the Universal Forwarder (UF) and utilizing the Splunk add-on for Unix to collect system metrics. Has anyone implemented this before, and any insights or thoughts on this approach?
Labels

regex to capture the html tags in the raw data

by in Splunk Cloud Platform
‎01-24-2024 03:33 AM
‎01-24-2024 03:33 AM
Hi, I have html tags like <p> <br> <a href="www.google/com target=_blank"> & so on in my raw data, I want to capture everything except these html tags . Please help me with regex sample raw data A... See more...
Hi, I have html tags like <p> <br> <a href="www.google/com target=_blank"> & so on in my raw data, I want to capture everything except these html tags . Please help me with regex sample raw data A flaw in the way Internet Explorer handles a specific HTTP request could allow arbitrary code to execute in the context of the logged-on user, should the <UL> <LI> The first vulnerability occurs because Internet Explorer does not correctly determine an obr in a pop-up window.</LI> <LI> The t type that is returned from a Web server during XML data binding.</LI> </UL> <P> &quot;Location: URL:ms-its:C:WINDOWSHelpiexplore.::/itsrt.htm&quot; <P> :<P><A HREF='http://blogs.msdn.com/embres/archive/20/81.aspx' TARGET='_blank'>October Security Updates are (finally) available!</A><BR>

Problem Installing .NET App Agent

by in Splunk AppDynamics
‎01-24-2024 02:31 AM
‎01-24-2024 02:31 AM
Hello, I'm installing the .NET Agent in a Windows 10 VM. When I run the \dotNetAgentSetup64-23.12.0.10912\Installer.bat file I get the following error: I can't find the missing key. I execute... See more...
Hello, I'm installing the .NET Agent in a Windows 10 VM. When I run the \dotNetAgentSetup64-23.12.0.10912\Installer.bat file I get the following error: I can't find the missing key. I execute the install batch with the option "Run as Administrator" Any ideas? Help? Thank you Here the install logs: Action ended 11:15:47: SetCoordinatorServiceUserNTAuthoritySystem. Return value 1. Action start 11:15:47: AppSearch. MSI (s) (3C:6C) [11:15:47:838]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\AppDynamics\dotNet Agent 3: 2 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\AppDynamics\dotNet Agent 3: 2 MSI (s) (3C:6C) [11:15:47:839]: Note: 1: 2262 2: Signature 3: -2147287038 MSI (s) (3C:6C) [11:15:47:840]: PROPERTY CHANGE: Adding WIXNETFX4RELEASEINSTALLED property. Its value is '#528372'. MSI (s) (3C:6C) [11:15:47:840]: Doing action: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED Action ended 11:15:47: AppSearch. Return value 1. MSI (s) (3C:6C) [11:15:47:840]: PROPERTY CHANGE: Adding WIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED property. Its value is '1'. Action start 11:15:47: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED. MSI (s) (3C:6C) [11:15:47:841]: Doing action: LaunchConditions Action ended 11:15:47: SetWIX_IS_NETFRAMEWORK_462_OR_LATER_INSTALLED. Return value 1. Action start 11:15:47: LaunchConditions. MSI (s) (3C:6C) [11:15:47:842]: Product: AppDynamics .NET Agent -- AppDynamics .NET Agent installer requires administrative privileges. Action ended 11:15:47: LaunchConditions. Return value 3. Action ended 11:15:47: INSTALL. Return value 3. MSI (s) (3C:6C) [11:15:47:844]: Note: 1: 1708 MSI (s) (3C:6C) [11:15:47:844]: Product: AppDynamics .NET Agent -- Installation failed. MSI (s) (3C:6C) [11:15:47:845]: Windows Installer installed the product. Product Name: AppDynamics .NET Agent. Product Version: 23.12.0. Product Language: 1033. Manufacturer: AppDynamics. Installation success or error status: 1603. MSI (s) (3C:6C) [11:15:47:848]: Deferring clean up of packages/files, if any exist MSI (s) (3C:6C) [11:15:47:848]: MainEngineThread is returning 1603 MSI (s) (3C:A8) [11:15:47:848]: No System Restore sequence number for this installation. === Logging stopped: 1/24/2024 11:15:47 === MSI (s) (3C:A8) [11:15:47:849]: User policy value 'DisableRollback' is 0 MSI (s) (3C:A8) [11:15:47:849]: Machine policy value 'DisableRollback' is 0 MSI (s) (3C:A8) [11:15:47:849]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (3C:A8) [11:15:47:849]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (3C:A8) [11:15:47:850]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (3C:A8) [11:15:47:850]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (D4:24) [11:15:47:851]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (D4:24) [11:15:47:852]: MainEngineThread is returning 1603 === Verbose logging stopped: 1/24/2024 11:15:47 ===
Labels

Cisco FMC Compatibility

by in Splunk Enterprise
‎01-24-2024 12:47 AM
‎01-24-2024 12:47 AM
Does Cisco FMC is compatible with Splunk Enterprise 8.2.7? do you have compatiblity matri

Re: Splunk ES add an "assign to me" link as a field or button in alarms

by in Splunk Enterprise
‎01-24-2024 12:35 AM
‎01-24-2024 12:35 AM
Hi, Did you found a solution? I'm looking at same feature.

Re: How to configure Management Tier on 2 sites

by SplunkTrust in Installation
‎01-23-2024 11:58 PM
1 Karma
‎01-23-2024 11:58 PM
1 Karma
Hi @SatriaCiso. As I said for the Cluster Manager, is the same thing for all Management servers: in Splunk architecture you cannot have two of them. And anyway, the cluster continues to run also wi... See more...
Hi @SatriaCiso. As I said for the Cluster Manager, is the same thing for all Management servers: in Splunk architecture you cannot have two of them. And anyway, the cluster continues to run also without these components. Eventually you can have a turned off copy but with the same hostname and IP address, because you cannot configure two Cluster managers or two Deployers and so on: they must be only one of them. This is fully described in the above links. Ciao. Giuseppe

Re: How to configure Management Tier on 2 sites

by in Installation
‎01-23-2024 11:46 PM
‎01-23-2024 11:46 PM
Hi, Thank you, sir, but I mean the management tier was: Deployer server, Deployment server, License master and Cluster master, those servers need to be on both sites. Because our policy that the Man... See more...
Hi, Thank you, sir, but I mean the management tier was: Deployer server, Deployment server, License master and Cluster master, those servers need to be on both sites. Because our policy that the Management tier must have a disaster recovery site. And if i have second Management tier, its must have the different hostname and IPs  Thank you, Satriaciso

Re: Impossible number of occurrences being returned

by SplunkTrust in Splunk Search
‎01-23-2024 11:42 PM
‎01-23-2024 11:42 PM
(First off, please post sample data as text block, not screenshot.)  You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand.  spath is very useful h... See more...
(First off, please post sample data as text block, not screenshot.)  You should first convert JSON array Policy{} into multivalue of its JSON element before applying mvexpand.  spath is very useful here.  In 9.0, Splunk added a new command fromjson which is more convenient for your case.  The following uses fromjson:   | fromjson _raw | mvexpand Policies | fromjson Policies | stats count by displayName result   Your mock data gives displayName result count Policy1 success 1 Policy2 failure 1 Policy3 notApplied 1 This is an emulation of your mock data you can play with and compare with real data   | makeresults | eval _raw = "{\"SigninId\": \"some-id\", \"Policies\": [ { \"id\": \"1234\", \"displayName\": \"Policy1\", \"result\": \"success\" }, { \"id\": \"4353\", \"displayName\": \"Policy2\", \"result\": \"failure\" }, { \"id\": \"0093\", \"displayName\": \"Policy3\", \"result\": \"notApplied\" } ]"    

Re: Dynamic lookup file

by SplunkTrust in Dashboards & Visualizations
‎01-23-2024 10:52 PM
1 Karma
‎01-23-2024 10:52 PM
1 Karma
Hi @MrJohn230 , if you have a file so frequently updated, in my opinion, the best solution is to load every version of the file in an index and use as events, in this way, taking only the last versi... See more...
Hi @MrJohn230 , if you have a file so frequently updated, in my opinion, the best solution is to load every version of the file in an index and use as events, in this way, taking only the last version of the data, you'll always have updated data. Ciao. Giuseppe