All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Splunk documentation has a page that guides customers to troubleshoot similiar issues as you described, like when they don't find the data/events.   "Are you searching for events and not finding the... See more...
Splunk documentation has a page that guides customers to troubleshoot similiar issues as you described, like when they don't find the data/events.   "Are you searching for events and not finding them, or looking at a dashboard and seeing "No result data"? Here are a few common mistakes to check." https://docs.splunk.com/Documentation/Splunk/9.1.2/Troubleshooting/Cantfinddata    
Hello, Can you one help me with the custom visualization like below image, any addon or something would be grateful. Thanks in Advance.
Hi toocies, Take a look here https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/ this has some good examples for your use case.   Hope this helps ... cheers, MuS
Thanks! If I could, I would give you 10 Karma for this solution. It makes the panel so much nicer
sure, thanks for the note @gcusello . summary index or scheduled search both are same?   Please could you suggest, how to implement the scheduled search ?
Hi @selvam_sekar, you have some methods to accelerate your search that youcan find described at https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutsummaryindexing My hint is to use D... See more...
Hi @selvam_sekar, you have some methods to accelerate your search that youcan find described at https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutsummaryindexing My hint is to use Datamodels or Summary indexes. About the second, you have to schedule your searches with a frequency to defin based on the time for the search execution and your refresh requirements. So you can save the results in a summary index and then run your search on the aggregated values that you have in the summary index. Ciao. Giuseppe
Hi, My dashboard seems to be taking around 1.3 mints to load the data for multiple panels and sometime it takes around 4 mints to load the data. My client come up with an requirement to get 'auto re... See more...
Hi, My dashboard seems to be taking around 1.3 mints to load the data for multiple panels and sometime it takes around 4 mints to load the data. My client come up with an requirement to get 'auto refresh" feature  enabled for the dashboard with 15 mints intervals. I used base search and the base search intern uses the | tstats. I am not familiar with save search or scheduled serch or loadjob. Please could you advise? how to implement the feature Thanks, Selvam.  
Hi @quangnm21 , after every stats command (also tstats) you have only the fields that are present in the command, so dest_nt_domain and src_nt_domain aren't still present. You have to insert in the... See more...
Hi @quangnm21 , after every stats command (also tstats) you have only the fields that are present in the command, so dest_nt_domain and src_nt_domain aren't still present. You have to insert in the tstats command the two fields with the values option: | tstats `security.content.summariesonly` values(host) AS srcHost dc(host) AS chost min(_time) AS firstTime max(_time) AS lastTime values(Authentication.dest_nt_domain) AS dest_nt_domain values(Authentication.src_nt_domain) AS src_nt_domain FROM datamodel=Authentication WHERE Authentication.action="success" Authentication.dest_nt_domain="PTIT" Authentication.src_nt_domain="PTIT" Authentication.user="qmn" BY Authentication.user | eval abc = tostring(dest_nt_domain), xyz = tostring(src_nt_domain)  Then I hint to rename some fields avoiding the dot in the name (sometimes functions don't work). Last doubt: if you have the Authentication.user field in the WHERE condition, why do you have it also in the BY cluse? it's always one value! Last thing: please next time use, in addition to the screenshots, add also the search in text mode (using the "Insert/Edit code sample" button) , so I don't need to rewrite it! Ciao. Giuseppe
Sure! Let me try to give partial of my data here. { host :host01 metrics: {          Started: true      TotalConnectionCount: 0      Uptime: 3 days 3 hours      UptimeMillis: 271021770 } ... See more...
Sure! Let me try to give partial of my data here. { host :host01 metrics: {          Started: true      TotalConnectionCount: 0      Uptime: 3 days 3 hours      UptimeMillis: 271021770 } } My search query involving the field that have problem is something like this. <search query> | spath output=metrics path=metrics | stats latest(metrics.Started) as started, latest(metrics.TotalConnectionCount) as connectionCount by host |eval state = if(started="true","UP","DOWN")  | table host, state, connectionCount The problem comes with connectionCount. If it's not 0, it aligns right. If it's 0, it aligns left. Ps. Actually after I investigate this, this problem does not occur on Splunk search, but on the Splunk Dashboard Studio when I use the table on my dashboard. Any ideas?
Did you mean the drop down is not enabled to select? If thats the case, check the search which populates the dropdown. If it uses the macros, then ensure that the user/app has permissions to access ... See more...
Did you mean the drop down is not enabled to select? If thats the case, check the search which populates the dropdown. If it uses the macros, then ensure that the user/app has permissions to access the macro and is expending the search
Hi, to hide edit button, I use this option in Canvas Config. Also, there is an idea "in Development" to allow Hide Splunk Bar in Dashboard Studio.  Thank you.
My OS system is CentOS 7, with Appdynamics 21.4.4 installed. I plan to migrate to OS Ubuntu 2204 LTS and upgrade to Appdynamics 23.9. Can I use HA to migrate? Or should I use backup & restore to do t... See more...
My OS system is CentOS 7, with Appdynamics 21.4.4 installed. I plan to migrate to OS Ubuntu 2204 LTS and upgrade to Appdynamics 23.9. Can I use HA to migrate? Or should I use backup & restore to do the transfer? I tried to migrate in different ways several times, but still can do it.
Few preliminary things to check Are the missing machine still up & running and part of your network? Is Splunk still running on those missing machines? Are the forwarders still able to connect to... See more...
Few preliminary things to check Are the missing machine still up & running and part of your network? Is Splunk still running on those missing machines? Are the forwarders still able to connect to the indexers? Is the *nix apps (or whichever apps used ) are installed and configured?
thanks @richgalloway - yes, we looked at this Add-on but we found some limitations w.r.t. our use case - Please allow me some time and I will share more details on the use case.
Hello, I am creating a dashboard in Dashboard Studio and wanted to have just 3 timeranges available for a user: Last Month ("-mon@mon" to "@mon") Last to last Month ("-2mon@mon" to "-mon@mon") Mo... See more...
Hello, I am creating a dashboard in Dashboard Studio and wanted to have just 3 timeranges available for a user: Last Month ("-mon@mon" to "@mon") Last to last Month ("-2mon@mon" to "-mon@mon") Month to date ("@mon" to "@d") I think I can get all these options in the default timerange input as well, but I do not want User to select anything other than these 3 options - and this is something I cannot prevent when using default timerange input (or at least I am not sure how do I do that, until and unless I create a separate user role with specific time ranges allowed, may be). so as a work around, I have created a drop down with these 3 token labels and values are set in form of relative_time function, i.e., where tempDt>=relative_time(now(),"-mon@mon") and tempDt<relative_time(now(),"@mon") where tempDt>=relative_time(now(),"@mon") and tempDt<relative_time(now(),"@d") where tempDt>=relative_time(now(),"-2mon@mon") and tempDt<relative_time(now(),"-mon@mon") in the main search (not available on demo dashboard definition shared here) I am using a variable tempDt and then one of the token value will filter data based on this tempDt. index=abc earliest="-2mon@mon" ```there exist a field called tempDt``` $timerange$ All this worked as expected - no issues.  ------------------------------------------------------------------------------------------------------------------------ Now, I also want to display Month Name in Dashboard Header (created using Markdown Text) based on Token Value,  if Last Month then strftime(relative_time(now(),"-mon@mon"),"%b-%Y") if Last to last month then strftime(relative_time(now(),"-2mon@mon"),"%b-%Y") if Month To Date then strftime(relative_time(now(),"@mon"),"%b-%Y") Please see below dashboard source code that I have tried but Markdown text is not populated with the Month Name - when I run the same search outside dashboard, it works ok. { "visualizations": { "viz_q7o2tu52": { "type": "splunk.markdown", "options": { "markdown": "### **Monthly Service Review ($MD Search:result.month$)**" } } }, "dataSources": { "ds_zBQAeHol": { "type": "ds.search", "options": { "enableSmartSources": true, "query": "| makeresults \n| eval temp=case(LIKE($timerange|s$,\"%-2mon@mon%\"),\"-2mon@mon\",LIKE($timerange|s$,\"%-mon@mon%\"),\"-mon@mon\",LIKE($timerange|s$,\"%@d%\"),\"@mon\",true(),\"@d\")\n| eval epoch=relative_time(now(),$temp$)\n| eval month=strftime(epoch,\"%b-%Y\")\n| table month", "queryParameters": { "earliest": "-24h@h", "latest": "now" } }, "name": "MD Search" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "options": { "items": [ { "label": "Last Month", "value": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")" }, { "label": "Month to Date", "value": "where tempDt>=relative_time(now(),\"@mon\") and tempDt<relative_time(now(),\"@d\")" }, { "label": "Last to last Month", "value": "where tempDt>=relative_time(now(),\"-2mon@mon\") and tempDt<relative_time(now(),\"-mon@mon\")" } ], "defaultValue": "where tempDt>=relative_time(now(),\"-mon@mon\") and tempDt<relative_time(now(),\"@mon\")", "token": "timerange" }, "title": "Time Range", "type": "input.dropdown" } }, "layout": { "type": "absolute", "options": { "width": 1440, "height": 960, "display": "auto" }, "structure": [ { "item": "input_global_trp", "type": "input", "position": { "x": 640, "y": 130, "w": 198, "h": 82 } }, { "item": "viz_q7o2tu52", "type": "block", "position": { "x": 540, "y": 30, "w": 400, "h": 90 } } ], "globalInputs": [] }, "description": "", "title": "MD Markdown Token Test" }   Can you please help how can I achieve this? Thank you. Regards, Madhav
This was my initial search. I cannot compare the two fields "srcdomain = destdomain" because when I intend to use eval my value is output as null. Thanks everyone  
日本語で失礼します。 私はLinuxにUFをインストールし、input.confを以下のように設定しました。 [monitor:///xxxx/] whitelist = xxxx_list_<yyyymmdd>.csv UFを再起動し、Splunk list monitorで対象のファイルが表示されていることを確認しました。 しかし、翌日に上記と同じコマンドでモニター状況を確認したと... See more...
日本語で失礼します。 私はLinuxにUFをインストールし、input.confを以下のように設定しました。 [monitor:///xxxx/] whitelist = xxxx_list_<yyyymmdd>.csv UFを再起動し、Splunk list monitorで対象のファイルが表示されていることを確認しました。 しかし、翌日に上記と同じコマンドでモニター状況を確認したところ、新しく作成されたファイル(xxxx_list_20241212.csv)が表示されませんでした。 こちら解決方法ご存知の方、 ご教示いただけますでしょうか
Somewhere I read/interpreted that you only wanted those from XYZ.csv and discard the ABC.csv-only ones.  To preserve all, use the following. | inputlookup ABC.csv | eval lookup="ABC.csv" | fields F... See more...
Somewhere I read/interpreted that you only wanted those from XYZ.csv and discard the ABC.csv-only ones.  To preserve all, use the following. | inputlookup ABC.csv | eval lookup="ABC.csv" | fields Firewall_Name lookup | append [ | inputlookup XYZ.csv | eval lookup="XYZ.csv" | rename Firewall_Hostname AS Firewall_Name | fields Firewall_Name lookup ] | stats values(lookup) as lookup by Firewall_Name | eval lookup = if(mvcount(lookup) > 1, mvjoin(lookup, " + "), lookup . " only") | stats count values(Firewall_Name) as Firewall by lookup | eval Firewall = if(lookup == "ABC.csv + XYZ.csv", null(), lookup)  
Have a look at the Splunk Monitoring console  
With the splunk_TA_windows you can index logs regarding windows update from the machines where you have a forwarder installed. With that you can check the packages that are installed in each machine.... See more...
With the splunk_TA_windows you can index logs regarding windows update from the machines where you have a forwarder installed. With that you can check the packages that are installed in each machine. I dont think you can check which patches are missing unless you already have them installed somewhere. With these logs, you can also check for problems with windows update (check splunk lantern).