Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-02-2024
07:16 AM
1 Karma
Hi @navarec - I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend th...
See more...
Hi @navarec - I’m a Community Moderator in the Splunk Community. This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post. Thank you!
01-02-2024
07:15 AM
I'm not an AWS expert, but increasing the amount of memory on the instance probably will incur additional cost. The Monitoring Console (MC) should show how much memory searches are using. In the MC...
See more...
I'm not an AWS expert, but increasing the amount of memory on the instance probably will incur additional cost. The Monitoring Console (MC) should show how much memory searches are using. In the MC, go to Resource Usage->Resource Usage: Instance
01-02-2024
07:02 AM
Hello, I have got similar issue. Were you able to solve it?
01-02-2024
06:33 AM
1 Karma
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it a...
See more...
HI Is it possible to 1st Export OTEL data to file(or something) 2nd Import that file to a new Splunk install? We have a cluster with 3 INDEXERS and I want to export specific host data out of it and import it to a Test and Development Install. Is this possible? @js15 Regards Robert
01-02-2024
06:31 AM
Good morning, We had the same error and attempted to resolve this through the same method above, but the difference we have is the fact that we have a cluster of events services. In other words we h...
See more...
Good morning, We had the same error and attempted to resolve this through the same method above, but the difference we have is the fact that we have a cluster of events services. In other words we have 3 master nodes. One node will work fine, but the other two will start and then shut down stating the elasticsearch never started. Is there a similar solution for that?
01-02-2024
06:12 AM
On our Monitoring Console on the "Overview", it does not display any metrics under "Resource Usage" for each of the categories "Indexers", "Search Heads", etc. Not the browser, have tried from diffe...
See more...
On our Monitoring Console on the "Overview", it does not display any metrics under "Resource Usage" for each of the categories "Indexers", "Search Heads", etc. Not the browser, have tried from different computers, same problem. No WARN or ERROR messages on the host, no errors in the "Setup" page, and CPU/RAM utilization is extremely low. Anybody else experienced this?
Labels
- Labels:
-
monitoring console
01-02-2024
06:09 AM
Hello. Thank you for response. I think it's 8GB. If I increase the memory will I be charged on AWS account? Secondly, how can we save up the memory usage in my Splunk Console ?
01-02-2024
06:07 AM
Hello @dtburrows3, I didn't know about this "useother" option, and it works, it's exactly what I was looking for: Thank you very much for your help. Sincerely, Lionel M.
01-02-2024
06:03 AM
1 Karma
You can try | timechart span=1w useother=false limit=10 count by Service This should limit to only the top 10 and also discard any events that don't fall into the top 10.
01-02-2024
05:57 AM
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done...
See more...
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done). However, on this top 10, I am asked for a graph to show the evolution of the number of errors in this top per week (in order to see for example when a fix has been deployed). And this is where I encounter a problem: in my query, I have my top 10 but I have an OTHER which brings together everything that is after the top 10: Here is the query that causes this graph: index=oncall_prod
| search routingKey != "routingdynatrace_cluster"
| dedup incidentNumber
| rename entityDisplayName as Service
| timechart span=1w count by Service
| sort - count limit=10 I tried to use "head" or "top" to force the display of the first 10 results only but in the case of "head", it doesn't change anything, and in the case of "top", my screen remains empty. I've searched the forum and it's often these two answers that come up but in my case, it doesn't work. Do you know how to remove the OTHER to only have the first 10 results in my graph? Sincerely, Rajaion
Labels
- Labels:
-
count
01-02-2024
05:36 AM
Add this line to the end of the query | rename date_mday as Date
01-02-2024
05:27 AM
@gcusello - I was able to fine the way with rename
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d...
See more...
@gcusello - I was able to fine the way with rename
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version | fields "app", "date_mday", "userId", "version" | rename "date_mday" AS "Date"
01-02-2024
05:23 AM
How much memory does the AWS instance have? It should have at least 12GB. It's possible your search query is too memory-intensive. Use the fields command to remove unused fields and save memory. ...
See more...
How much memory does the AWS instance have? It should have at least 12GB. It's possible your search query is too memory-intensive. Use the fields command to remove unused fields and save memory. Share the query so we can offer other suggestions to reduce memory use.
01-02-2024
05:17 AM
Hello @gcusello , Sorry to come back , is there any way to change the table label. example of my search: "sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex ...
See more...
Hello @gcusello , Sorry to come back , is there any way to change the table label. example of my search: "sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version can my table looks like below app version userid Date ( rather than date_mday)
01-02-2024
05:12 AM
1 Karma
Hi @svodela, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Point...
See more...
Hi @svodela, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
01-02-2024
05:12 AM
Hi @adrifesa95, it isn't so easy, you should: create a lookup containing two columns: area, mail, modify your alerts in this way: <your_alert>
| lookup your_lookup.csv area OUTPUT mail
| se...
See more...
Hi @adrifesa95, it isn't so easy, you should: create a lookup containing two columns: area, mail, modify your alerts in this way: <your_alert>
| lookup your_lookup.csv area OUTPUT mail
| sendmail to=mail supponing that in your mail search, you have the area field, matchig the value in the lookup. Ciao. Giuseppe
01-02-2024
05:08 AM
Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.
01-02-2024
04:32 AM
Thank you for the content. Happy new year!!!
- Tags:
- Th
01-02-2024
04:11 AM
1 Karma
Hello, Splunk support helped me and gave me the solution. there is no feature to easily reset the password for a user. The admin needs to update it directly in de database : su caspida
psql -d ca...
See more...
Hello, Splunk support helped me and gave me the solution. there is no feature to easily reset the password for a user. The admin needs to update it directly in de database : su caspida
psql -d caspidadb
update accounts set password=md5('changeme') where email='admin'; Replace "admin" with your username and "changeme" with chosen password.
01-02-2024
04:08 AM
