All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer Even below is also not giving any results.  And source I have already mentioned in datamodel.    
1. Do you get _any_ data from this forwarder? Especially events into _internal index. 2. Do you see any errors in c:\program files\splunk (or SplunkUniversalForwarder, depending on version)\var\log\... See more...
1. Do you get _any_ data from this forwarder? Especially events into _internal index. 2. Do you see any errors in c:\program files\splunk (or SplunkUniversalForwarder, depending on version)\var\log\splunk\splunkd.log on the forwarder? 3. What is the output of splunk list monitor and splunk list inputstatus run on your UF?
As far as I can see, after you substitue your token you end up with (somewhere in the middle of your expanded macro) | bin _time span=span=1d Either remove the "span=" part from the macro definitio... See more...
As far as I can see, after you substitue your token you end up with (somewhere in the middle of your expanded macro) | bin _time span=span=1d Either remove the "span=" part from the macro definition or from the argument you're passing to it.
In your first not working screenshot, you have used an argument called "span" but the macro definition calls the argument "span_token", hence the error. For the second not working example, as I aske... See more...
In your first not working screenshot, you have used an argument called "span" but the macro definition calls the argument "span_token", hence the error. For the second not working example, as I asked before, what exactly is not working? By the way, your dashboard source is incomplete so it could be something to do with the way you have set up span_token but you haven't shown this so I can't tell. Please provide all relevant information to maximise your chances of getting a solution.
Hi @sekhar463, I suppose that you already configured outputs.conf and that you're already reeving logs from that machine. Please try this: [monitor://C:\Program Files\Crestron\CCS400\User\Logs\CCS... See more...
Hi @sekhar463, I suppose that you already configured outputs.conf and that you're already reeving logs from that machine. Please try this: [monitor://C:\Program Files\Crestron\CCS400\User\Logs\CCSFirmwareUpdate.txt] index=Testindx sourcetype=test_sourcetype disabled=0 Ciao. Giuseppe
@ITWhisperer  There are two things what is "working" and "what is not working" Working : Below data model is giving the results. Not working :  When I use the data model under this macro`throu... See more...
@ITWhisperer  There are two things what is "working" and "what is not working" Working : Below data model is giving the results. Not working :  When I use the data model under this macro`throughput_macro_raw(span=1d)` not giving any results.   Not working : As well in the dashboard below query is also not working <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location   Please help me to execute and fix these queries
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the co... See more...
hai  i have configured below log file stanza but not getting data into splunk from windows UF having latest on Jan 4th but those data also not came  is any parameter need to add ? below is the config file  [monitorNoHandle://C:\Program Files\Crestron\CCS400\User\Logs\CCSFirmwareUpdate.txt] index=Testindx sourcetype=test_sourcetype disabled=0
"not working fine" is not a useful phrase. Exactly, what is not working? What results are you getting? What results were you expecting? (I created a similar dashboard and macro arrangement and it wo... See more...
"not working fine" is not a useful phrase. Exactly, what is not working? What results are you getting? What results were you expecting? (I created a similar dashboard and macro arrangement and it works fine for me!)
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" ... See more...
Json :- | makeresults | eval _raw="{ \"a.com\": [ { \"yahoo.com\":\"10ms\",\"trans-id\": \"x1\"}, { \"google.com\":\"20ms\",\"trans-id\": \"x2\"} ], \"trans-id\":\"m1\", \"duration\":\"33ms\" }"   need output in below format:- _time Trans_id url Duration sub_duration sub_url sub_trans_id   m1 a.com 33ms 10ms yahoo.com x1   m1 a.com 33ms 20ms google.com x2
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month ... See more...
Under "Activity" you have "Triggered Alerts" but I cant seem to make an easy to read overview/email a PDF with these numbers. I would like to create a report of the following:   In previous month the following alerts were triggered: Use case 1: 15 alerts Use case 2: 10 alerts Use case 3: 3 alerts Use case 4: 0 alerts   I can make this manually in a dashboard but it will take a long time to do when you have 100+ use cases .. Anybody have any insights on how to create this quickly in a (scheduled) report for the previous month?
Yes, it worked  
I found it! In my list there were no quotes around the values in my token and without quotes it doesn't work here. the solution was |s$ | where IN('applicatie',$token_cfapp|s$)  
Thank you very much, that has helped me. Have a good one
Hi @Veerendra, it's a sample that I had to simplify, but you can see the approach: <form script="run_action.js" theme="light" version="1.1"> <label>Manage All Cases</label> <fieldset submitButt... See more...
Hi @Veerendra, it's a sample that I had to simplify, but you can see the approach: <form script="run_action.js" theme="light" version="1.1"> <label>Manage All Cases</label> <fieldset submitButton="false" autoRun="false"> <input type="radio" token="resetTokens" searchWhenChanged="true"> <label/> <choice value="reset">Reset Inputs</choice> <choice value="retain">Retain</choice> <default>reset</default> <change> <condition value="reset"> <unset token="_key"/> <unset token="timestamp"/> <unset token="alertname"/> <unset token="description"/> <unset token="status"/> <unset token="notes"/> <unset token="username"/> <unset token="status_to_update"/> <unset token="notes_to_update"/> <unset token="username_to_update"/> <unset token="status_updated"/> <unset token="notes_updated"/> <unset token="username_updated"/> <unset token="form._key"/> <unset token="form.timestamp"/> <unset token="form.alertname"/> <unset token="form.description"/> <unset token="form.status"/> <unset token="form.notes"/> <unset token="form.user"/> <unset token="form.status_to_update"/> <unset token="form.notes_to_update"/> <unset token="form.username_to_update"/> <unset token="form.status_updated"/> <unset token="form.notes_updated"/> <unset token="form.username_updated"/> <set token="resetTokens">retain</set> <set token="form.resetTokens">retain</set> </condition> </change> </input> </fieldset> <row> <panel> <input type="dropdown" token="User_Name"> <label>User Name</label> <choice value="*&quot; OR NOT User_Name=&quot;*">All</choice> <prefix>User_Name="</prefix> <suffix>"</suffix> <fieldForLabel>User_Name</fieldForLabel> <fieldForValue>User_Name</fieldForValue> <search> <query> | inputlookup open_cases | dedup User_Name | sort User_Name | table User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*" OR NOT User_Name="*</default> </input> <input type="dropdown" token="Status"> <label>Status</label> <choice value="*">All</choice> <prefix>Status="</prefix> <suffix>"</suffix> <fieldForLabel>Status</fieldForLabel> <fieldForValue>Status</fieldForValue> <search> <query> | inputlookup open_cases WHERE Status!="Escalation" | dedup Status | sort Status | table Status </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <input type="dropdown" token="Alert_Name"> <label>Alert Name</label> <choice value="*">All</choice> <prefix>Alert_Name="</prefix> <suffix>"</suffix> <fieldForLabel>Alert_Name</fieldForLabel> <fieldForValue>Alert_Name</fieldForValue> <search> <query> | inputlookup open_cases | dedup Alert_Name | sort Alert_Name | table Alert_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <default>*</default> </input> <table id="master"> <title>Total All Cases = $server_count$</title> <search> <query> | inputlookup open_cases WHERE $User_Name$ $Status$ $Alert_Name$ Status!="Escalation" | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time Alert_Name Description Status Notes User_Name TimeStamp </query> <!--<earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest>--> <sampleRatio>1</sampleRatio> <progress> <set token="server_count">$job.resultCount$</set> </progress> <cancelled> <unset token="server_count"/> </cancelled> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <fields>["_key","Time","Alert_Name","Description","Status","Notes","User_Name"]</fields> <drilldown> <set token="key">$row.key$</set> <set token="timestamp">$row.TimeStamp$</set> <set token="alertname">$row.Alert_Name$</set> <set token="description">$row.Description$</set> <set token="status">$row.Status$</set> <set token="notes">$row.Notes$</set> <set token="username">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <title>Modify Row</title> <input type="dropdown" token="status_to_update"> <label>Status</label> <default>$status$</default> <search> <query/> </search> <choice value="Closed">Closed</choice> <choice value="Work-in-progress">Work-in-progress</choice> <choice value="Escalation">Escalation</choice> <choice value="Stand-By">Stand-By</choice> </input> <input type="text" token="notes_to_update"> <label>Add Notes</label> <default>$notes$</default> </input> <table id="detail" depends="$key$"> <title>Row to modify</title> <search> <query> | makeresults 1 | eval key="$key$", TimeStamp="$timestamp$", Alert_Name="$alertname$", Description="$description$", Status="$status_to_update$", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S"), User_Name="$username$" | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Alert_Name,Description,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="status_updated">$row.Status$</set> <set token="notes_updated">$row.Notes$</set> <set token="username_updated">$row.User_Name$</set> </drilldown> </table> </panel> </row> <row> <panel> <table id="detail2" depends="$status_to_update$"> <title>Modified Lookup row</title> <search> <query> | inputlookup open_cases | eval Status=if(_key="$key$","$status_updated$",Status), Notes=if(_key="$key$","$notes_updated$",Notes), User_Name=if(_key="$key$","$username_updated$",User_Name) | search _key="$key$" | outputlookup open_cases append=true | eval key=_key | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key | table key Time TimeStamp Alert_Name Description Status Notes User_Name </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <fields>_key,Time,Alert_Name,Description,Status,Notes,User_Name</fields> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> My use case was more complicated that you because I had to manually modify some fields, in your use case you can automaticall update the values. I hope that this can help. Ciao. Giuseppe
Hi @gcusello  is it possible for you to provide a sample code of what you want me to do in the 3rd scenario.
Hi @AL3Z, don't untar the app in windows, copy it in Ubuntu and untar it in Ubuntu, so you can modify it as you want and you can give to files and folders the correct grants. Than tar it (tar.gz) a... See more...
Hi @AL3Z, don't untar the app in windows, copy it in Ubuntu and untar it in Ubuntu, so you can modify it as you want and you can give to files and folders the correct grants. Than tar it (tar.gz) and copy the tarred file in the machine that you will use for the upload (also windows). In other words, passing in windows erase the grants, so, when you try to upload it in Splunk Cloud it has wrong grants. It's the same issue that you have if you try to use a Windows Deployment Server to deploy apps to Linux servers. Ciao. Giuseppe
Hi Ryan, Thanks for your support. I have already contacted AppD Support Team and they only asked me to check here. Thanks, Sikha
Hello Splunkers!! I have pasted my dashboard code and in this text I am attaching screenshot of macro. When I am passing the below macros in dashboard it is not working fine. Please suggest how to p... See more...
Hello Splunkers!! I have pasted my dashboard code and in this text I am attaching screenshot of macro. When I am passing the below macros in dashboard it is not working fine. Please suggest how to proceed further ?  
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <d... See more...
    <row> <panel> <title>General Filters</title> <input type="time" token="time" id="my_date_range" searchWhenChanged="true"> <label>Select the Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> <change> <eval token="time.earliest_epoch">if('earliest'="",0,if(isnum(strptime('earliest', "%s")),'earliest',relative_time(now(),'earliest')))</eval> <eval token="time.latest_epoch">if(isnum(strptime('latest', "%s")),'latest',relative_time(now(),'latest'))</eval> <eval token="macro_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "throughput_macro_summary_1d",if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "throughput_macro_summary_1h","throughput_macro_raw"))</eval> <eval token="form.span_token">if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 2592000, "d", if($time.latest_epoch$ - $time.earliest_epoch$ &gt; 86400, "h", $form.span_token$))</eval> </change> </input> </panel></row> <row> <panel> <chart> <title>Total Pallet</title> <search> <query>|`$macro_token$(span_token="$span_token$")` |strcat "raw" "," location group_name | timechart span=1d count by location</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="charting.chart">column</option> <option name="charting.chart.stackMode">stacked</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>    
@gcusello  Hello, I actually untarred the file in Windows using 7zip. Afterward, I employed the Ubuntu app from the app store and executed the following command: bash COPYFILE_DISABLE=1 tar -... See more...
@gcusello  Hello, I actually untarred the file in Windows using 7zip. Afterward, I employed the Ubuntu app from the app store and executed the following command: bash COPYFILE_DISABLE=1 tar --format ustar -cvzf <appname>.tar.gz <appname_directory> Despite using "chmod 644 appname," the permissions persist at 777. Any suggestions on how to rectify this?   Thanks