All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @sekhar463 , which user are you using to run Splunk, has this user the grants to read this file? please check that the path of the file is correct, runing the dir command in a cmd window. Ciao.... See more...
Hi @sekhar463 , which user are you using to run Splunk, has this user the grants to read this file? please check that the path of the file is correct, runing the dir command in a cmd window. Ciao. Giuseppe
still not coming  the file is text file as below and its under Program Files\Crestron\CCS400\User\Logs\ and want to ingest the file CCSFirmwareUpdate.txt  
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if ther... See more...
Hi There, I use a Splunk Cloud instance with Universal Forwarders installed on each server. From here I have edited the inputs.conf file to enable the [perfmon://CPU] stanza. I am wondering if there are any out-of-the-box dashboards or recommended searches for putting this monitoring to use. All information I have been able to find online is in regards to an EOL add-on (Splunk App for Infrastructure) or Splunk On-Premise instances (This is a problem I have faced since beginning work on Splunk, huge lack of documentation for Splunk Cloud vs On-Prem) Thank you for any help in advance, Jamie
Hi @AL3Z , as I said, you have to set 644 for all conf files and 755 for folders. As also @PickleRick said, do this ation on a Linux server. Ciao. Giuseppe
H @_pravin, the only way to have the location of a connection is mapping the clientip field wit a location. You should have a map of you internal vlans and their location, so, you could put the vla... See more...
H @_pravin, the only way to have the location of a connection is mapping the clientip field wit a location. You should have a map of you internal vlans and their location, so, you could put the vlans and their location in a lookup and use it to map the clientip of the connection. Ciao. Giuseppe
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users ... See more...
Hi All,   I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ?    index="_internal" source=*access.log user!="-" /saml/acs | timechart span=1d count by user index=_audit login action="login attempt" | table _time user action info reason | timechart span=1d count by user     We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well. Thanks in advance.   Pravin
Does it always fail i.e. with different time ranges selected or just some of them?
From here, "Total Pallet" panel is not giving any results. Can you please help me to identify error and suggestion to fix the error ? ================================================================... See more...
From here, "Total Pallet" panel is not giving any results. Can you please help me to identify error and suggestion to fix the error ? ======================================================================= <form version="1.1" theme="light"> <label>Throughput : Highbay</label> <fieldset submitButton="false"></fieldset> <row> <panel> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change> </input> </panel> </row> <row> <panel> <chart> <title>Total Pallet</title> <search> <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>
@ITWhisperer There is no need to raise a case; the macro is now working. I have removed the "|" from the macro used before the data model, and after that, it works fine.   Let me check other st... See more...
@ITWhisperer There is no need to raise a case; the macro is now working. I have removed the "|" from the macro used before the data model, and after that, it works fine.   Let me check other stuffs, If needed I will post my queries here.
I didn't use datamodel, I was just testing using a token inside a macro
@ITWhisperer Sure, I will. In the earlier chat, you said that you had used the same approach in your dashboard and it worked fine. Can you share with me that link for the reference?
The error message says it all - it looks like you can't use datamodel from within a macro. You could argue that this is a bug in the parser - please raise a support ticket with Splunk.
You might have a bit differently prepared macros/searches you use there.  
@PickleRick Nice explanation . But my approach is working fine on other dashboards. 
Don't use windows for manipulating unix-related files/archives. It's the same problem as with managing apps with deployment server run on Windows box - windows doesn't handle unix file permissions pr... See more...
Don't use windows for manipulating unix-related files/archives. It's the same problem as with managing apps with deployment server run on Windows box - windows doesn't handle unix file permissions properly and even if you run WSL-based ubuntu to access your windows filesystem, it won't work properly since windows file permissions don't "match" unix ones. Just copy your tar archive to the _inside_ of your WSL instance and untar it there.
I have an angular 10 application, is there a way of deploying it on the Splunk Enterprise ? Any document reference would be great.    I really appreciate the help
throughput_macro_raw() contains | bin _time span=$span_token$ As you showed, you call it as `throughput_macro_raw(span=1d)` Since macro is a simple text expansion, your $span_token$ is getting su... See more...
throughput_macro_raw() contains | bin _time span=$span_token$ As you showed, you call it as `throughput_macro_raw(span=1d)` Since macro is a simple text expansion, your $span_token$ is getting substituted for "span=1d" So your span=$span_token$ is getting thus expanded to span=span=1d That's how macro expansion works.
1. This has nothing to do (or at least not much) with parsing, more about summarizing data from your event. 2. Splunk seems to have problems with using spath when the names contain dots, so extracti... See more...
1. This has nothing to do (or at least not much) with parsing, more about summarizing data from your event. 2. Splunk seems to have problems with using spath when the names contain dots, so extracting the "a.com" part and splitting it might not be that easy.
I have an angular 16 application also facing same issue.
@PickleRick If, in this case, I remove the span= from all the below macros, then how do the span values pass through? And span_token values coming from the dashboard. <change> <eval token="ti... See more...
@PickleRick If, in this case, I remove the span= from all the below macros, then how do the span values pass through? And span_token values coming from the dashboard. <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change>