All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @aguilard, as I said which kind of logs are you speaking of? if syslogs, using the tcp protocol on port 9998 and 9999 the inputs you used are correct, but you cannot see them in the dashboard yo... See more...
Hi @aguilard, as I said which kind of logs are you speaking of? if syslogs, using the tcp protocol on port 9998 and 9999 the inputs you used are correct, but you cannot see them in the dashboard you shared in the screenshot, you have to search them in the TCP network inputs [Inputs > Network Inputs > TCP]. if instead you want to receive logs from another Splunk system (e.g. a Universal Forwarder) you can see in the dashboard you shared in the screenshot but you have to use the conf files I hinted. Probably you have some confusion in the kind of inputs: they are two different kind of inputs that are displayed in different dashboards. Ciao. Giuseppe
OK. I must here correct myself. It was true some time ago but since 7.2.0 we have this: https://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Migratetomultisite#Convert_legacy_buckets_to_multis... See more...
OK. I must here correct myself. It was true some time ago but since 7.2.0 we have this: https://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Migratetomultisite#Convert_legacy_buckets_to_multisite So with modern Splunk installations you can convert to multisite. Yaay!
Thanks for your response @gcusello  Maybe I do not understand some splunk concepts very well. All I want is if an event arrives to the port 9998 it should be indexed in the index iscore_test. As if... See more...
Thanks for your response @gcusello  Maybe I do not understand some splunk concepts very well. All I want is if an event arrives to the port 9998 it should be indexed in the index iscore_test. As if it the event arrives to the port the event should be indexed in the index iscore_prod. The inputs.conf that I setted for this app would be correct?  
Hi,  I am getting the below error when i'm trying to configure the Webhook alert to post in Microsoft Teams.   12-19-2023 11:57:56.700 +0000 ERROR sendmodalert [292254 AlertNotifierWorker-0] - a... See more...
Hi,  I am getting the below error when i'm trying to configure the Webhook alert to post in Microsoft Teams.   12-19-2023 11:57:56.700 +0000 ERROR sendmodalert [292254 AlertNotifierWorker-0] - action=webhook STDERR - Error sending webhook request: HTTP Error 400: Bad Request   12-19-2023 11:57:56.710 +0000 INFO sendmodalert [292254 AlertNotifierWorker-0] - action=webhook - Alert action script completed in duration=706 ms with exit code=2   12-19-2023 11:57:56.710 +0000 WARN sendmodalert [292254 AlertNotifierWorker-0] - action=webhook - Alert action script returned error code=2
Hi  @aguilard, if you're speaking of forwarding and receiving between Splunk systems (as it seeems from your screenshot), the inputs.conf that you used are wrong, these are for TCP network inputs. ... See more...
Hi  @aguilard, if you're speaking of forwarding and receiving between Splunk systems (as it seeems from your screenshot), the inputs.conf that you used are wrong, these are for TCP network inputs. as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#inputs.conf.example , , the correct ones for forwarding and receiving are  [splunktcp://:9997] disabled = 0 [splunktcp://:9998] disabled = 0 [splunktcp://:9999] disabled = 0  Ciao. Giuseppe
this is my end_time: 1703027679.5678809 After this query, it showed this output but i am getting the 1969 format | eval time=strftime(time, "%m/%d/%y %H:%M:%S")  But when i tried with time... See more...
this is my end_time: 1703027679.5678809 After this query, it showed this output but i am getting the 1969 format | eval time=strftime(time, "%m/%d/%y %H:%M:%S")  But when i tried with time instead of time it showed correct  | eval time=strftime(1703027679.5678809, "%m/%d/%y %H:%M:%S") | table time
The indexes.conf is it copied succesfully and the indexer create the indexes correctly, the problem is the inputs.conf that is not working properly.
Okay, Thanks @VatsalJagani 
Hi All, I am trying to send email using sendemail command with csv as an attachment . Email is getting sent successfully but file is getting named as "unknown-<date_time>". I want to rename this f... See more...
Hi All, I am trying to send email using sendemail command with csv as an attachment . Email is getting sent successfully but file is getting named as "unknown-<date_time>". I want to rename this file. Please let me know how we are doing this. | sendemail sendresults=true format=csv to=\"$email$\" graceful=false message="This is a test email" subject="Test Email Check" Also , message and subject is getting truncated. I am getting message body as "This" and Subject as "Test". Please help me to know what is going wrong. Help on : Renaming the csv file. How to avoid message body and subject getting truncated. I really appreciate your help on this Regards, PNV
@Muthu_Vinith - Let's say if your CSV files are getting generated inside a folder called my_csv_files, then you can monitor that folder with Splunk to ingest all new CSV files in that folder. [monit... See more...
@Muthu_Vinith - Let's say if your CSV files are getting generated inside a folder called my_csv_files, then you can monitor that folder with Splunk to ingest all new CSV files in that folder. [monitor:///var/log/my_csv_files] # Above, you need to put full CSV path # you need to install Splunk or Splunk UF on that machine and enable this input disabled = 0 index = my_metrics_idx   Reference - https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/Monitorfilesanddirectorieswithinputs.conf    I hope this helps!!! Kindly upvote if this helps!!!
Hello, I would like to separate my data streams by opening three receving ports. I have a multisite indexer cluster and I have created an app with this default inputs.conf file     [tcp://9998] ... See more...
Hello, I would like to separate my data streams by opening three receving ports. I have a multisite indexer cluster and I have created an app with this default inputs.conf file     [tcp://9998] disabled = 0 index = iscore_test sourcetype = iscore_test connection_host = ip [tcp://9999] disabled = 0 index = iscore_prod sourcetype = iscore_prod connection_host = ip     But when I check the receiving ports on the indexer it only shows the 9997 (that I would like to use just for splunk internal logs)   I think there is a faster way to do this rather than set the receiving ports manually in each indexer. I already checked and the app that I created was successfully copied to the indexers.  
Thanks for your support its worked for me.
Hi @Questioner, if you want the tooltips that are in that app, you can use js and css copying them from that app in your app and adding the header line, obviousl remember to restart Splunk on the SH... See more...
Hi @Questioner, if you want the tooltips that are in that app, you can use js and css copying them from that app in your app and adding the header line, obviousl remember to restart Splunk on the SH. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi! @gcusello  Maybe some requirements are missing from the requirements...I think. I'll try to do that. Thank you for your help!
Hi @Questioner, you can install this app in your Search Heads eventually in no visible mode. One additional inforation: tis app lista the apps in Splunkbase, it doesn't give you a viz? what's your... See more...
Hi @Questioner, you can install this app in your Search Heads eventually in no visible mode. One additional inforation: tis app lista the apps in Splunkbase, it doesn't give you a viz? what's your requirement? Anyway, if you want tooltips, you could copy the following files: tooltip.js,tabs.js, custom_table_icons_inline.js tooltip.css, alt.css,tabs.css; from the appserver/static folder of this app in your app's appserver/static folder and add this line as the first line of your dashboard: <form script="tooltip.js,tabs.js,custom_table_icons_inline.js" stylesheet="tooltip.css,alt.css,tabs.css" version="1.1"> So you can use these js and css without installin this app. Ciao. Giuseppe
Hi @gcusello  Maybe..Yes! I want to use "<viz>" in my code, but I don't know install this in my environment.   Thanks regards
Btw, I have created the same search but in classic dashboard. It shows the results with this warning. "These results may be truncated. Your search generated too much data for the current visualizati... See more...
Btw, I have created the same search but in classic dashboard. It shows the results with this warning. "These results may be truncated. Your search generated too much data for the current visualization configuration. " and it is indeed truncating the number of results. I have been trying to change the default setting of the "charting.chart.resultTruncationLimit" and "charting.data.count" property (added them in the search query) but it does not increase the number of data. Is there anyway to make it show all the data in the classic dashboard?  https://docs.splunk.com/Documentation/Splunk/9.0.4/Viz/ChartDisplayissues?ref=hk#Search_result_truncation   <option name="charting.chart.stackMode">stacked</option> <option name="charting.chart.resultTruncationLimit">500000</option> <option name="charting.data.count">100000</option> <option name="charting.drilldown">none</option>    
Hi @Questioner, is it a problem to install this app in your environment? you could also install it in no visible way. Ciao. Giuseppe
Ok, I don't understand why you want to do this, anyway, please try this: index="1**" source="2***" | rex "(?ms)statusCode: (?<statusCode>\d+)" | stats count by statusCode | append [ search inde... See more...
Ok, I don't understand why you want to do this, anyway, please try this: index="1**" source="2***" | rex "(?ms)statusCode: (?<statusCode>\d+)" | stats count by statusCode | append [ search index="1**" source="2**" "republish event" | stats dc(event.body) AS totalrequest | eval statusCode="totalrequest" | fields statusCode totalrequest ] beware that statusCode muste be the same in rex and stats! Ciao. Giuseppe
Yes, it doesn't work in edit mode (which is not surprising!)