Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-22-2024
07:56 AM
Good to know about the different versions, thanks for the help!
01-22-2024
07:48 AM
Hi There, I appreciate the generic guidance, but it isn't really relevant to my question. I am trying to find out how I can display CPU performance metrics, via the perfmon stanza. Sorry if my que...
See more...
Hi There, I appreciate the generic guidance, but it isn't really relevant to my question. I am trying to find out how I can display CPU performance metrics, via the perfmon stanza. Sorry if my question wasn't clear, Jamie
01-22-2024
07:45 AM
2 Karma
No problem just removing .meta files. Correct.
01-22-2024
07:43 AM
That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn...
See more...
That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.
01-22-2024
07:42 AM
MaxMind offer a database you download to map lat/long to time zone, among other fields. The database can replace that used by Splunk for the iplocation command or you can use the CSV version of the ...
See more...
MaxMind offer a database you download to map lat/long to time zone, among other fields. The database can replace that used by Splunk for the iplocation command or you can use the CSV version of the DB as a separate lookup table. A subscription may be required. See https://www.maxmind.com/en/geoip-databases
01-22-2024
07:41 AM
And just to make sure, there is no problem just removing the file? I assume that you first check for any local changes you want to remain, but otherwise you can just delete the file and move on?
01-22-2024
07:33 AM
1 Karma
You are correct; local.meta trumps default.meta for a given app. To get the default.meta to take effect again, the local.meta stanza or file must be removed.
01-22-2024
07:25 AM
yes definitely the parsing server! and this is what i found out, the server was NOT set to UTC. had them change and i'm gtg, however, I don't see how I can explicitly set the TZ on indexing, as it ...
See more...
yes definitely the parsing server! and this is what i found out, the server was NOT set to UTC. had them change and i'm gtg, however, I don't see how I can explicitly set the TZ on indexing, as it is not part of the string being sent to us and I do not see where we can set the TZ in the source type. as always appreciate the education everyone, thank you!
01-22-2024
07:19 AM
I have a use-case where a Splunk end-user should only be allowed to search on a subset of events in an index. For example, restrict the end-user to only be able to search for customer's data which th...
See more...
I have a use-case where a Splunk end-user should only be allowed to search on a subset of events in an index. For example, restrict the end-user to only be able to search for customer's data which the end-user has authorisation to. Is there a smart way of doing this in Splunk? I looked into different solutions like Splunk Apps, External Lookup, Custom parameters in OAuth... Building a new front-end app and use the Splunk search API is one way, however, that is probably not the smartes ways of doing it. I guess that I'm not the first one that has this use-case.
Labels
- Labels:
-
permissions
01-22-2024
07:17 AM
1 Karma
No. "Assuming local time if the server is UTC" (I assume you're talking about the parsing server, not the source) is OK only if the source sends the data in UTC.
01-22-2024
07:17 AM
Thanks for the answer, at least the indexers are in the same environment as the smartstore and not on-prem.
01-22-2024
07:14 AM
Have a dashboard where have a timer input, drop down 1 (DD1) depends on timer input, multi-select drop down 2 (DD2) depends on DD1. Once all the input is provided, user hits on "Submit" button and t...
See more...
Have a dashboard where have a timer input, drop down 1 (DD1) depends on timer input, multi-select drop down 2 (DD2) depends on DD1. Once all the input is provided, user hits on "Submit" button and the resulting chart should be displayed. All of this works well as long as separate search queries are used in each one of them. Once the timer changes, DD1 is searched and values are displayed. Once DD1 is selected, DD2 search starts, and corresponding values are displayed. All goes well. Here's a working example: <form version="1.1" theme="light">
<label>Technical - HTTP Metrics</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time_duration_token" searchWhenChanged="false">
<label>Select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="service_name_token" searchWhenChanged="false">
<label>Select microservice</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search>
<query>
index="cloud_world" | spath source | search event.logger="*CustomLoggingMeterRegistry*" | rex field=event.message "(?<metric_name>[a-z.]+)" | search metric_name="http.server.requests" | dedup source
</query>
<earliest>$time_duration_token.earliest$</earliest>
<latest>$time_duration_token.latest$</latest>
</search>
</input>
<input type="multiselect" token="http_uri_multiselect_token" searchWhenChanged="false">
<label>Select URI</label>
<fieldForLabel>http_uri</fieldForLabel>
<fieldForValue>http_uri</fieldForValue>
<search>
<query>
index="cloud_world" | spath source
| search source=$service_name_token|s$ event.logger="*CustomLoggingMeterRegistry*"
| rex field=event.message "(?<metric_name>.*){.*,status=(?<http_status>[\d]{3}),uri=(?<http_uri>.*)}.*mean=(?<mean_time>[\d.]+)s\smax=(?<max_time>[\d.]+)"
| search metric_name="http.server.requests"
| top http_uri
</query>
<earliest>$time_duration_token.earliest$</earliest>
<latest>$time_duration_token.latest$</latest>
</search>
<delimiter>,</delimiter>
<valueSuffix>"</valueSuffix>
<valuePrefix>"</valuePrefix>
</input>
<input type="checkbox" token="http_status_token">
<label>Select HTTP status</label>
<choice value=""200", "201"">2xx</choice>
<choice value=""400", "401"">4xx</choice>
<delimiter> </delimiter>
</input>
</fieldset>
<row>
<panel>
<title>Mean time by URI</title>
<chart>
<title>Mean time</title>
<search>
<query>
index="cloud_world" | spath source
| search source=$service_name_token|s$ event.logger="*CustomLoggingMeterRegistry*"
| rex field=event.message "(?<metric_name>.*){.*,status=(?<http_status>[\d]{3}),uri=(?<http_uri>.*)}.*mean=(?<mean_time>[\d.]+)s\smax=(?<max_time>[\d.]+)"
| search metric_name="http.server.requests"
| where http_uri in($http_uri_multiselect_token$) AND http_status in($http_status_token$)
| chart max(mean_time) over _time by http_uri usenull=f useother=false
</query>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.text">Time (in ms)</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">minmax</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
</row>
</form> If you see, the same searches are used everywhere, hence I decided to use base search in input dropdown as below: <form version="1.1" theme="light">
<label>Technical - HTTP Metrics</label>
<search id="httpMetricsBaseSearch">
<query>
index="cloud_world"
| spath source
| search event.logger="*CustomLoggingMeterRegistry*"
| rex field=event.message "(?<metric_name>[a-z.]+){(?<metric_dimensions>.*)}\s(?<metric_measurements>.*)"
| search metric_name="http.server.requests"
| rex field=metric_dimensions "status=(?<http_status>[\d]{3}),uri=(?<http_uri>.*)"
| rex field=metric_measurements "mean=(?<mean_time>[\d.]+)s\smax=(?<max_time>[\d.]+)"
| table source, http_uri, http_status, max_time, mean_time, _time
</query>
<earliest>$time_duration_token.earliest$</earliest>
<latest>$time_duration_token.latest$</latest>
</search>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time_duration_token" searchWhenChanged="false">
<label>Select a time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="service_name_token" searchWhenChanged="false">
<label>Select microservice</label>
<fieldForLabel>source</fieldForLabel>
<fieldForValue>source</fieldForValue>
<search base="httpMetricsBaseSearch">
<query>
| dedup source
</query>
</search>
</input>
<input type="multiselect" token="http_uri_multiselect_token" searchWhenChanged="false">
<label>Select URI</label>
<fieldForLabel>http_uri</fieldForLabel>
<fieldForValue>http_uri</fieldForValue>
<search base="httpMetricsBaseSearch">
<query>
| where source=$service_name_token|s$ | dedup http_uri
</query>
</search>
<delimiter>,</delimiter>
<valueSuffix>"</valueSuffix>
<valuePrefix>"</valuePrefix>
</input>
<input type="checkbox" token="http_status_token">
<label>Select HTTP status</label>
<choice value=""200", "201"">2xx</choice>
<choice value=""400", "401"">4xx</choice>
<delimiter> </delimiter>
</input>
</fieldset>
</form> In this case, if I change the time from time picker, the "Select service" dropdown is not researched. This used to happen, when searches were different. But after using base search, this just doesn't work. It actually starts to search, once the "Submit" button is clicked, but I want to reserve that for "final" submit, i.e. when user has provided all his inputs. Is there a way to fix this, or is it that base search are not supposed to be used in input searches when submitButton="true" ?
Labels
- Labels:
-
Classic dashboard
01-22-2024
07:14 AM
The documentation is correct. Once you go to SmartStore you can't go back; anything else would be a Science Experiment. Switching to SmartStore (S2) should not have caused the problems you listed. ...
See more...
The documentation is correct. Once you go to SmartStore you can't go back; anything else would be a Science Experiment. Switching to SmartStore (S2) should not have caused the problems you listed. Search performance can be affected if the S2 cache is too small or users have a tendency to search over more than 30 days. Is SmartStore in the same environment as your indexers? Using a cloud S2 with on-prem indexers is likely cause problems and be expensive.
01-22-2024
07:11 AM
01-22-2024
07:11 AM
Hello I have few services that today sends data some index via code. We are going to remove this index and create new one but cannot change the code so i want to change the point with transforms.co...
See more...
Hello I have few services that today sends data some index via code. We are going to remove this index and create new one but cannot change the code so i want to change the point with transforms.conf + props.conf using regex that extract the service name from source field and the environment from _raw this is my transforms.conf file : [service_extraction]
SOURCE_KEY = source
REGEX = \/var\/log\/pods\/(.+?)_
FORMAT = complaince_int_front::@service_$environment
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000
[environment_extraction]
SOURCE_KEY = sourcetype::kube:container:mockapiservice
REGEX = "Region":"(.+?)"
FORMAT = complaince_int_front::@service_$1
DEST_KEY = _MetaData:Index
LOOKAHEAD = 40000 i guess i did something wrong since its not working
Labels
- Labels:
-
props.conf
-
transforms.conf
01-22-2024
06:53 AM
Thanks for the reply @PickleRick Sure, there will be a third column containing only assets that are not seen in both sources simultaneously and in addition at the end of the list there should be T...
See more...
Thanks for the reply @PickleRick Sure, there will be a third column containing only assets that are not seen in both sources simultaneously and in addition at the end of the list there should be Totals of these assets. Would you be able to develop a sample solution for this, please? Thank you.
- Tags:
- Thanks for the reply
01-22-2024
06:52 AM
You can either use the "splunk _internal call" command on the cmdline or use | rest /services/cluster/manager/buckets | where multisite_bucket=0 AND standalone=0 (or "false" instead of 0, I'm not ...
See more...
You can either use the "splunk _internal call" command on the cmdline or use | rest /services/cluster/manager/buckets | where multisite_bucket=0 AND standalone=0 (or "false" instead of 0, I'm not sure here)
01-22-2024
06:42 AM
1 Karma
That use case is not supported by WLM admission rules. Go to https://ideas.splunk.com to make a case for it.
01-22-2024
06:42 AM
Hi @tscroggins I was using the search app to run
| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires
accountExpires is the attribute causing the aforementioned error. I kn...
See more...
Hi @tscroggins I was using the search app to run
| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires
accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser.
