All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Splunk has documentation on this subject.  See https://docs.splunk.com/Documentation/Splunk/9.0.7/Installation/HowtoupgradeSplunk
Client is asking about Splunk Cloud backup and recovery procedure for DR. Specifically all the configuration, searched, dashboards, fields, tag so on and so on. I can not find a document outlining Sp... See more...
Client is asking about Splunk Cloud backup and recovery procedure for DR. Specifically all the configuration, searched, dashboards, fields, tag so on and so on. I can not find a document outlining Splunk cloud polices for high availability, backup and restore can anyone point to this info?     Client ask -  "Could you please check and let me know how and where following items are backed up and what is the process to recover them for DR purpose? Audit logs Usecases Reports, alerts, lookup tables, KV etc Config data Source type config Parsing API, TI Fields config Data model, macros Apps and app config ES config Threat intel config"
You are right - default overwrites initial. So, the missing tokens may be somewhere else in your filters.
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configur... See more...
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configure trellis_pie token ? this is the source: <panel> <chart id="trellis_pie"> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">collapsed</option> <option name="charting.chart">pie</option> <option name="charting.chart.sliceCollapsingThreshold">0</option> <option name="charting.drilldown">all</option> <option name="charting.legend.placement">none</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">1</option> <drilldown> <set token="host_exposure_level">$row.category$</set> </drilldown> </chart> </panel>
Well... thanks
Hello i've tried to add * as the initial value but its not working in default initial value ignored once default value is configured.  
Hi @gcusello ,   The SPL is actually a report, so the data has not even been sent to the function t has been invoked.  I tried to add just the one line to the report and noticed that the report ju... See more...
Hi @gcusello ,   The SPL is actually a report, so the data has not even been sent to the function t has been invoked.  I tried to add just the one line to the report and noticed that the report just disappears.  I am also attaching the code below | mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\ | rename module.names as Module | rename host as Hostname | rename severity as lvl | rename pid as PID | eval Module=if(Module!="",Module,"UNDEFINED") | eval temp=split(Module,",") | mvexpand temp | eval recipient=("MX_MONITORING_".temp . "@mx.com") | fields - temp | rename _time as timestamp | mvcombine delim="," recipient | rename timestamp as _time | fields _time count PID service.name replica.name service.type Module lvl Hostname cmd mx.env recipient | sort 0 - _time | stats values(service.name) as Services values(replica.name) as Replicas values(PID) as PIDs values(Hostname) as Hosts sum(count) as Count_Of_Errors earliest_time(replica.name) as Earliest_Error_Time latest_time(replica.name) as Latest_Error_Time values(lvl) as Severities values(recipient) as Owners by Module mx.env | eval Earliest_Error_Time=strftime(Earliest_Error_Time,"%d/%m/%y %H:%M:%S") | eval Latest_Error_Time=strftime(Latest_Error_Time,"%d/%m/%y %H:%M:%S") | table Module Services Replicas PIDs Hosts Count_Of_Errors Earliest_Error_Time Latest_Error_Time Severities mx.env I tried using the line in an another report, and the other report also disapperas in the report filter. Now I feel that this is more of a bug that a code functionality issue. Please let me know what you feel about this?   Regards, Pravin
You are a genius. Thank you so much @ITWhisperer . Much appreciated!  
yes, trying to create a search based input in Glass table input.dropdown, but for input.dropdown in glass table we are not having the search configuration.
You are missing an underscore! | makeresults count=20 | streamstats count | eval test_{count}=count | stats first(test*) AS test* | eval x=mvappend([| makeresults count=20 | streamstats count AS cou... See more...
You are missing an underscore! | makeresults count=20 | streamstats count | eval test_{count}=count | stats first(test*) AS test* | eval x=mvappend([| makeresults count=20 | streamstats count AS count | eval field_names="test_".count | stats list(field_names) AS field_names | nomv field_names | eval field_names=replace(field_names," ",", ") |return $field_names])
I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the  numeric order. My attempt is to create the fields in a subsearch and pass to "mvap... See more...
I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the  numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work.    | makeresults count=20 | streamstats count | eval test_{count}=count | stats first(test*) AS test* | eval x=mvappend([| makeresults count=20 | streamstats count AS count | eval field_names="test".count | stats list(field_names) AS field_names | nomv field_names | eval field_names=replace(field_names," ",", ") |return $field_names])    Is there any alternative to spelling out:   | eval x=mvappend(test_1,...test_20)   by hand?
Understood. So, it sounds like your filter isn't working effectively. Here is a runanywhere example showing the filter working on the sample data with Workbook and testbook being excluded from the re... See more...
Understood. So, it sounds like your filter isn't working effectively. Here is a runanywhere example showing the filter working on the sample data with Workbook and testbook being excluded from the results | makeresults count=10 | eval _raw="/api/cvraman/book /api/apj/book /api/nehru/book /api/nehru/Workbook /api/nehru/testbook /api/cvraman/collections /api/apj/collections /api/indira/collections /api/rahul/notes /api/rajiv/notes /api/modi/notes" | multikv noheader=t | eval duration=random()%10 | rename _raw as URI | search (URI = /api/*/book OR URI = /api/*/collections OR URI = /api/*/notes) | rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g" | eval responseTime="response time" | chart avg(duration) as avg_time by responseTime URI I am sure you can also understand that there is nothing wrong with the rex and the remainder of the search given the data examples you have given to work on, and that the issue is with your filter, which only you can sort out, given that it is production data that you cannot share.
thats the production data so i couldnt share here.but from the results i can see that it is give the results of /api/*/Workbook,/api/* /testbooks responses also. which i dont need this. Actually p... See more...
thats the production data so i couldnt share here.but from the results i can see that it is give the results of /api/*/Workbook,/api/* /testbooks responses also. which i dont need this. Actually prod api's i renamed and just added workbook ,testbooks,notes like that. Hope you understand
So what is the time of your earliest event?
90 days
The filter on your search should be only including the events you want - if you have other events, you need to tighten the filter to exclude the unwanted events. Can you share an example of the event... See more...
The filter on your search should be only including the events you want - if you have other events, you need to tighten the filter to exclude the unwanted events. Can you share an example of the events which are being included which should not be based on your filter?
What is the retention period on your index or the earliest event in your index?
The above rex will give all the APIS.   For example we have another API  /API/*/workbooks.Now with the query you provided it would give the values of this API also.I dont want that. I just need va... See more...
The above rex will give all the APIS.   For example we have another API  /API/*/workbooks.Now with the query you provided it would give the values of this API also.I dont want that. I just need values of  /API/*/Books,./API/*/collections,/API/*/Notes only.
Correct, but it clearer now; thank you. Try it this way | rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g" | eval responseTime="response time" | chart avg(duration) as avg_time b... See more...
Correct, but it clearer now; thank you. Try it this way | rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g" | eval responseTime="response time" | chart avg(duration) as avg_time by responseTime URI You can set the x-axis Title to "None"  
Hi this doesn't work; I'm not getting anything for the earlier dates (and I have expanded the date range to two days before the -60 date and today).