All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you mate for the help,  Below corrected one helped with faster results.   |chart latest(Count) as Count by ProcessDate,Name |sort 0 - ProcessDate | transpose 0 column_name=Name header_field... See more...
Thank you mate for the help,  Below corrected one helped with faster results.   |chart latest(Count) as Count by ProcessDate,Name |sort 0 - ProcessDate | transpose 0 column_name=Name header_field=ProcDate      
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert informati... See more...
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert information, and use the sendemail command. So this capability is by default provided to power user roles.  You can clone the power user role to a custom name for your organization.  Inside that cloned version you can remove the above capability.  Some apps such as ITSI are preset to inherit the power user role so you still have to watch the inherited capability lists.   Updated: Copy and Pasted wrong capability originally.
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=tru... See more...
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=true in the inputs.conf and the inputs.conf files in the Splunk_TA_windows are the same for each endpoint. I can't find the difference causing this. One thing I have learned through this is that I may prefer non-XML so if these two endpoints are not respecting renderXml=true, how do I know all the others will respect the false value to match them all up? Is there somewhere overriding this? I have not edited any \etc\system\default\inputs.conf files. They're all in local or an app. Thank you in advance! Edit: I am on Splunk Cloud. Scott
It sounds like the original data has too many lines/events.  You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvex... See more...
It sounds like the original data has too many lines/events.  You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvexpand.
| transpose 0 column_name=Date header_field=Name | sort 0 -Date | transpose 0 column_name=Name header_field=Date
No, it is not working
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search... See more...
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search/How-to-display-column-results-in-descending-order/m-p/405619
Hello, I tested your solution and it worked.    Thank you for your help.  1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got ... See more...
Hello, I tested your solution and it worked.    Thank you for your help.  1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got the following error. How do I fix this without increasing memory limit? command.mvexpand: output will be truncated at 1000 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached
SEDCMD-strip-tcp-priority=s/^<\d+>\d\s//
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format... See more...
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format where headers of processDates are higher to lower. Query: |chart latest(Count) as Count by Name ,ProcessDate Current Output: Name    20240101  20240102  20240103 xyz NA NA NA 123 NA NANA NA     Expecting output: Name    20240103 20240102  20240101 xyz NA NA NA 123 NA NANA NA    
Hi @avadhutha - I’m a Community Moderator in the Splunk Community.  This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend... See more...
Hi @avadhutha - I’m a Community Moderator in the Splunk Community.  This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you! 
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictl... See more...
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictly limited to users with admin access. Is there a way to do this? I'm having a hard time finding this in the docs. 
The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH.  Create a new SH and install ES on it using the instructions in the ES manual.
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using ... See more...
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:       curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \ --header "Authorization: Bearer eyJhbGciOiJ....."       When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code: error 401 Data from server: {"errors":["Missing token"]} I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself. Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.
@ksing Thanks for sharing the script, it's running fine. But, still the Splunk Service is not running, please refer to the below output details. Additionally, am thinking that the existing version w... See more...
@ksing Thanks for sharing the script, it's running fine. But, still the Splunk Service is not running, please refer to the below output details. Additionally, am thinking that the existing version was not uninstalled properly/corrupted. Is there proper way to clean existing Splunk entries from the device? Thanks. Output: Status Name DisplayName ------ ---- ----------- Stopped SplunkForwarder SplunkForwarder Service SplunkForwarder service is Running on Copying necessary files for splunk ... stopping splunk service copying C:\splunk_install copy C:\splunk_install complete copying Copy-Item : Cannot bind argument to parameter 'Path' because it is null. At line:18 char:26 + Copy-Item -Recurse -Path $opappsrc -Destination $appPath -Force + ~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Copy-Item], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CopyItemCommand copy conmplete Start-Service : Service 'SplunkForwarder Service (SplunkForwarder)' cannot be started due to the following error: Cannot start service SplunkForwarder on computer '.'. At line:20 char:1 + Start-Service -Name SplunkForwarder + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommand Exception + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand Validating by checking if service is running. Get-Service : Cannot validate argument on parameter 'ComputerName'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At line:22 char:51 + Get-Service -Name "SplunkForwarder" -ComputerName $file -ErrorAction ... + ~~~~~ + CategoryInfo : InvalidData: (:) [Get-Service], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell.Commands.GetServiceCommand SplunkForwarder service is Running on Complete
Hi @mninansplunk , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi, Can you please share the exact commands you've run so far? And also the values of those environment variables you set? Assuming these are the docs you're using: Python https://docs.splunk.com... See more...
Hi, Can you please share the exact commands you've run so far? And also the values of those environment variables you set? Assuming these are the docs you're using: Python https://docs.splunk.com/observability/en/gdi/get-data-in/application/python/instrumentation/instrument-python-application.html#instrument-python-applications Django https://docs.splunk.com/observability/en/gdi/get-data-in/application/python/instrumentation/instrument-python-frameworks.html#django-instrumentation  
  @avitallangedo you have any solution to sort from higher to lower for a dynamic columns in a chart?
If you need to tweak your regexes, that's a great interactive tool to test them. https://regex101.com/