1. General remark - don't use wildcards at the beginning of your search term if you can avoid it. If you do that, Splunk has to search all events from the given timerange to verify if any events matc...
See more...
1. General remark - don't use wildcards at the beginning of your search term if you can avoid it. If you do that, Splunk has to search all events from the given timerange to verify if any events match this condition - it can't use its indexed database of terms. In your case the difference might be insignificant if the data sample is small but as a general rule it's good to know that because with a big search it can make a huge difference in performance. 2. I'm not sure what you want to achieve. If you want to return only the results which match particular field value from your lookup, you have to return it from the lookup and then filter results based on values of this field. So if you want to filter your results to only return values for particular values of app-name column in your lookup (which you return from the lookup as the application field) you need to do index=summary type=isilon_nfs-quota-alert (path="*appsdata*")
| lookup apps-nfs.csv nfs-name as path output nfs-name as found, app-name as application
| search application IN ("app1", "app2", [...]) (you can also use the "where" command to filter your results instead of "search").
Well, the answer can be "because that's just how Splunk works". And it's important to know that. If you're matching a field value to something (even if it's a wildcard meaning any value), the field ...
See more...
Well, the answer can be "because that's just how Splunk works". And it's important to know that. If you're matching a field value to something (even if it's a wildcard meaning any value), the field must exist. If the field does not exist for a given event (which can be also interpreted as the field having null value), it will not match. It is important because it can cause unexpected results if you're trying to match your events wrongly (because as you noticed, field=* does not mean "regardles of whethere there is any value in that field but means "if there is a value in that field, regardless of what it is - a subtle, yet significant difference). It also means that matching for field!=value is not the same as matching "NOT field=value". The first condition means that there must be the field and its value must be different from the specified value (which means that the condition won't match an event where there is no field at all!) and the second condition means that either there is a field which has another value or there isn't such field at all. It's important to learn this distinction because it can make all the difference between searching and finding the right stuff and not finding it.
Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout. 01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChanne...
See more...
Hello, I am adding an Alert Action with Splunk Add-on Builder, but when I click “save” it basically goes in timeout. 01-16-2024 17:01:31.340 +0100 ERROR HttpClientRequest [24831 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US/custom/splunk_app_addon-builder/app_edit_modularalert/add_modular_alert. In the meanwhile if I open a new tab on the browser, whichever page I request falls in timeout as well. 01-16-2024 17:02:18.114 +0100 ERROR HttpClientRequest [7954 TcpChannelThread] - HTTP client error=Read Timeout while accessing server=http://127.0.0.1:8065 for request=http://127.0.0.1:8065/en-US. Looking into the /opt/splunk/etc/apps folder it seems my app stuck in TA-splunk-myapp_temp_output folder meanwhile is saving. splunk@SearchHead:~/etc/apps > ls -latr
drwxrwxrwx 10 splunk splunk 4096 Jan 15 16:02 TA-splunk-myapp
…
drwxrwxrwx 3 splunk splunk 4096 Jan 16 16:53 TA-splunk-myapp_temp_output I also tried to: cancel the TA-splunk-myapp_temp_output folder, restart Splunk and try again saving. increase performance from 16CPU/32GB to 32CPU/64GB but I have the same issue. It seems that the timeout comes from the “appserver” that runs on port 8065. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Webconf appServerPorts = <positive integer>[, <positive integer>, <positive integer> ...]
* Port number(s) for the python-based application server to listen on.
This port is bound only on the loopback interface -- it is not
exposed to the network at large.
* Generally, you should only set one port number here. For most
deployments a single application server won't be a performance
bottleneck. However you can provide a comma-separated list of
port numbers here and splunkd will start a load-balanced
application server on each one.
* At one time, setting this to zero indicated that the web service
should be run in a legacy mode as a separate service, but as of
Splunk 8.0 this is no longer supported.
* Default: 8065 I am thinking about: Put the logs in DEBUG Adding other ports to start load-balanced application server Any suggestion is really appreciated. Thanks a lot, Edoardo
thank you so much for your help and for sharing the resources, I will go through them. I ran the search but I am getting the following error message: "Right hand side of IN must be a collecti...
See more...
thank you so much for your help and for sharing the resources, I will go through them. I ran the search but I am getting the following error message: "Right hand side of IN must be a collection of literals. '(range = "10.0.0.0/8")' is not a literal The search job has failed due to an error..." I got this error before, I assumed that when using lookups the WHERE IN clause needs to be changed for something else maybe? not sure =/ thanks in advanced!
Colour can be defined a number of ways - here is a list of the standard named colour <named-color> - CSS: Cascading Style Sheets | MDN (mozilla.org) I am not sure if there is a limit but I have over...
See more...
Colour can be defined a number of ways - here is a list of the standard named colour <named-color> - CSS: Cascading Style Sheets | MDN (mozilla.org) I am not sure if there is a limit but I have over 120 single values in one trellis.
This is very neat @ITWhisperer - but I have 2 more questions with regards to your answer. Where are the colours defined (i.e. are there more, like pink and purple)? Is Trellis limited to the numb...
See more...
This is very neat @ITWhisperer - but I have 2 more questions with regards to your answer. Where are the colours defined (i.e. are there more, like pink and purple)? Is Trellis limited to the number of graphs it can create (I can't get more than 12 for some reason).
Hello everyone, I'm working on Splunk Entreprise and on the Search & Reporting app. I made many drop-down menu to filter my data. I've a special field who can be "void" and with value. How ...
See more...
Hello everyone, I'm working on Splunk Entreprise and on the Search & Reporting app. I made many drop-down menu to filter my data. I've a special field who can be "void" and with value. How can I make include the void value on the drop-down menu's ? Because when I select "*" on the drop-down menu Splunk return all the value of the field but I want to select the "void" value too. Thanks in advance!
I believe the command you are looking for is scrub. I attended .Conf last year where an instructor used this command to replace "real data" with dummy information, while keeping the format of the da...
See more...
I believe the command you are looking for is scrub. I attended .Conf last year where an instructor used this command to replace "real data" with dummy information, while keeping the format of the data. This command comes in useful when wanting to anonymize the data, when passing it on to a 3rd party etc. I use it when pasting data into 3rd party websites, to work on Regex extractions. |scrub
Hi @toporagno , this means that you have to manually or by Deployment Server update your inputs.conf stanza in the Universal Forwarder, adding the lines for index and sourcetype. Ciao. Giuseppe
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#chart_.28event_tokens.29:~:text=Data%20Property,segment%2C%20or%20if%20not%20applicable%2C%20the%20time%20range%20of%20th...
See more...
https://docs.splunk.com/Documentation/Splunk/latest/Viz/EventHandlerReference#chart_.28event_tokens.29:~:text=Data%20Property,segment%2C%20or%20if%20not%20applicable%2C%20the%20time%20range%20of%20the%20search. Depending on if you want the X or Y axis value, you'll want to use tokens from above reference.
Hi @danroberts , Hi the counter of the memory is one, if you have other counters, you should have also this. Anyway, it should be [perfmon://Memory] Ciao. Giuseppe
