Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-18-2024
09:06 AM
1 Karma
Try including by _time on this line | stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest by _time
01-18-2024
08:53 AM
1 Karma
Probably a few ways of doing this, but if you have access to index=_internal you can try something like this. index=_internal component=Metrics group=per_index_thruput earliest=-30d@d latest=now
...
See more...
Probably a few ways of doing this, but if you have access to index=_internal you can try something like this. index=_internal component=Metrics group=per_index_thruput earliest=-30d@d latest=now
| bucket span=1h _time
| stats
sum(kb) as hourly_kb,
sum(ev) as hourly_events,
by _time, series
| stats
earliest(_time) as earliest_event,
latest(_time) as latest_event,
count as sample_size,
avg(hourly_kb) as avg_hourly_kb,
sum(hourly_kb) as total_kb,
avg(hourly_events) as avg_hourly_events,
sum(hourly_events) as total_events
by series
| convert
ctime(earliest_event),
ctime(latest_event)
| rename
series as index
01-18-2024
08:51 AM
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserte...
See more...
I want the base url of the asset of the http app to be dynamic and filled with the information that I take from the sources (artifact) through a flow, as I would do to replace the one that is inserted in the asset By default, this is in the http app with the get data method
Labels
- Labels:
-
using Splunk Cloud
01-18-2024
08:50 AM
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I wo...
See more...
Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I would like to calculate the failureRate for each ROW. [SEARCH]
| bin _time span=15m
| stats count as NumberOfAuthErrors by _time
| append
[ SEARCH | bin _time span=15m | stats count as TotalRequest by _time ]
| stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest
| eval failureRate = round((NumberOfAuthErrors / TotalRequest) * 100,3)
| table TotalRequest NumberOfAuthErrors failureRate thanks
Labels
- Labels:
-
stats
01-18-2024
08:32 AM
Hi, I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data with...
See more...
Hi, I am looking for a search to list out all of the indexes in Splunk. I know how to get the full but looking for a clear way to get a list of the ones being used and actively received data within the last 30 days. Thanks in advance!
01-18-2024
08:18 AM
Thank you mate for the help, Below corrected one helped with faster results.
|chart latest(Count) as Count by ProcessDate,Name
|sort 0 - ProcessDate
| transpose 0 column_name=Name header_field...
See more...
Thank you mate for the help, Below corrected one helped with faster results.
|chart latest(Count) as Count by ProcessDate,Name
|sort 0 - ProcessDate
| transpose 0 column_name=Name header_field=ProcDate
01-18-2024
08:15 AM
1 Karma
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert informati...
See more...
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Rolesandcapabilities schedule_search Lets the user schedule saved searches, create and update alerts, review triggered alert information, and use the sendemail command. So this capability is by default provided to power user roles. You can clone the power user role to a custom name for your organization. Inside that cloned version you can remove the above capability. Some apps such as ITSI are preset to inherit the power user role so you still have to watch the inherited capability lists. Updated: Copy and Pasted wrong capability originally.
01-18-2024
08:08 AM
Thank you!
01-18-2024
07:45 AM
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=tru...
See more...
Good Morning, I am running into an issue where my two newest Server 2022 endpoints have events that are showing up non-XML, whereas all my other endpoints are outputting in XML. I have renderXml=true in the inputs.conf and the inputs.conf files in the Splunk_TA_windows are the same for each endpoint. I can't find the difference causing this. One thing I have learned through this is that I may prefer non-XML so if these two endpoints are not respecting renderXml=true, how do I know all the others will respect the false value to match them all up? Is there somewhere overriding this? I have not edited any \etc\system\default\inputs.conf files. They're all in local or an app. Thank you in advance! Edit: I am on Splunk Cloud. Scott
Labels
- Labels:
-
inputs.conf
-
universal forwarder
-
Windows
01-18-2024
07:40 AM
It sounds like the original data has too many lines/events. You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvex...
See more...
It sounds like the original data has too many lines/events. You may want to implement EventBreaker or LineBreak in your props.conf on the ingest before you need to apply any search time eval or mvexpand.
01-18-2024
07:39 AM
1 Karma
| transpose 0 column_name=Date header_field=Name
| sort 0 -Date
| transpose 0 column_name=Name header_field=Date
01-18-2024
07:39 AM
No, it is not working
01-18-2024
07:31 AM
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search...
See more...
Try | chart latest(Count) as Count by Name, ProcessDate | sort ProcessDate desc Found a very similar request under this previously answered question. https://community.splunk.com/t5/Splunk-Search/How-to-display-column-results-in-descending-order/m-p/405619
01-18-2024
07:25 AM
Hello, I tested your solution and it worked. Thank you for your help. 1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got ...
See more...
Hello, I tested your solution and it worked. Thank you for your help. 1) if I put eval on employee_data, will it change the original data? 2) I apply the solution on the real data and I got the following error. How do I fix this without increasing memory limit? command.mvexpand: output will be truncated at 1000 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached
01-18-2024
07:22 AM
1 Karma
SEDCMD-strip-tcp-priority=s/^<\d+>\d\s//
01-18-2024
07:08 AM
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format...
See more...
I have a chart formed like below and it's dynamic columns are created based on processes date. By default now the column header sort is happing from lower to higher value but I am looking in a format where headers of processDates are higher to lower. Query: |chart latest(Count) as Count by Name ,ProcessDate Current Output: Name 20240101 20240102 20240103 xyz NA NA NA 123 NA NANA NA Expecting output: Name 20240103 20240102 20240101 xyz NA NA NA 123 NA NANA NA
Labels
- Labels:
-
chart
01-18-2024
07:01 AM
Hi @avadhutha -
I’m a Community Moderator in the Splunk Community. This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend...
See more...
Hi @avadhutha -
I’m a Community Moderator in the Splunk Community. This question was posted 10 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.
Thank you!
01-18-2024
07:01 AM
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictl...
See more...
Is there a way to disable all email capabilities for a particular role in Splunk? The data in our deployment has to be strictly contained for compliance reasons, so email capability should be strictly limited to users with admin access. Is there a way to do this? I'm having a hard time finding this in the docs.
01-18-2024
07:01 AM
1 Karma
The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH. Create a new SH and install ES on it using the instructions in the ES manual.
01-18-2024
06:58 AM
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3). I've generated the access token following the instructions found here. I can send a curl request in POSTMAN, using ...
See more...
I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3). I've generated the access token following the instructions found here. I can send a curl request in POSTMAN, using the access token, to get organisation details. So I know the access token is ok: curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \
--header "Authorization: Bearer eyJhbGciOiJ....." When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code: error 401 Data from server: {"errors":["Missing token"]} I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up. I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself. Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret). And also - I get the same error if I don't enter anything in the access token field. Basically, it's just ignored.
Labels
- Labels:
-
configuration
-
troubleshooting
