All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

problem solved, i appreciate all your responses once i search in SH, i should use the parameter splunk_server=* in order to see results So obviously this was my issue as i should see results with... See more...
problem solved, i appreciate all your responses once i search in SH, i should use the parameter splunk_server=* in order to see results So obviously this was my issue as i should see results without such paramter modified the below on SH, solved it C:\Program Files\Splunk\etc\system\local\distsearch.conf [distributedSearch:dmc_group_indexer] default = false
@tej57 Thanks but how can i include _time as well in the result since after mvcombine the _time data gets dropped
Hi @brat_1990 , if you have a Linux server, you could configure an rsyslog server that writes syslogs in files that you cn read using the UF. Otherwise you could install the SC4S app (that's a sysl... See more...
Hi @brat_1990 , if you have a Linux server, you could configure an rsyslog server that writes syslogs in files that you cn read using the UF. Otherwise you could install the SC4S app (that's a syslog-ng server). Last choise to use an Heavy Forwarder. My hint is to use a rsyslog server ( I usually do this). Ciao. Giuseppe
Hi @mayurkale471757 , try to upload a sample of your file using the Add Data GUI feature that guides you in the sourcetype creation. Ciao. Giuseppe
I would contact Splunk Support.
hi @Mohamad_Alaa , check if you have filters compatible with the values you defined for the Notable. Ciao. Giuseppe 
Hi @Mohamad_Alaa , as I said, you have to enable datamodels and accelerations. Ciao. Giuseppe 
The numbers are not exact, from the DS Forwarder Management > 1275, dc(h) from metrics > 1287, and the total stats count from the final query > 1166  so its not accurate.  I will need to create a loo... See more...
The numbers are not exact, from the DS Forwarder Management > 1275, dc(h) from metrics > 1287, and the total stats count from the final query > 1166  so its not accurate.  I will need to create a lookup of UFs. Thank you for your support.
Hi @_pravin , are you sure that these reports and alerts are shared at app level and they are in Search and Reporting App? try to delesect the app in the search dropdown filter setting All. Ciao. ... See more...
Hi @_pravin , are you sure that these reports and alerts are shared at app level and they are in Search and Reporting App? try to delesect the app in the search dropdown filter setting All. Ciao. Giuseppe
I am working on adding some drop down to an existing dashboard studio. I have the queries working with no issues by referencing the drop down's but wrapping the Token Name in $$. What I am working ... See more...
I am working on adding some drop down to an existing dashboard studio. I have the queries working with no issues by referencing the drop down's but wrapping the Token Name in $$. What I am working on now is I would like to update a Widgets Title with the Tokens Label as that is the 'human' readable data, not data to drive the queries. This works with showing the 'value' of the Tokens selection $tok_aToken$ but how do I show the tokens label? I have tried: $tok_aToken_label$,  $tok_aToken.label$ and have been searching for hours and have been unable to find a solution ?
Hi, I have 3 values and i want to display it in a single value panel like the below image which is from Tableau,I want to replicate the same in Splunk. Can it be done? If not can we represent 2 valu... See more...
Hi, I have 3 values and i want to display it in a single value panel like the below image which is from Tableau,I want to replicate the same in Splunk. Can it be done? If not can we represent 2 values (GPA and website) in a single value and Grade in legend?   Else please suggest what other representation can i go with which displays 3 values
Try something like this index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_* (earliest=@d latest=now) OR (earliest=-60d@d latest=-59d@d... See more...
Try something like this index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_* (earliest=@d latest=now) OR (earliest=-60d@d latest=-59d@d) | timechart minspan=30s per_second(kb) as kb by series
I used the query index="botsv2" Amber. I found a capture_hostname: matar    Which e-mail seems to be linked to "matar"?   And who sends the person attach to the "feed" email to?   This... See more...
I used the query index="botsv2" Amber. I found a capture_hostname: matar    Which e-mail seems to be linked to "matar"?   And who sends the person attach to the "feed" email to?   This is from https://github.com/splunk/botsv2  
I have a single values panel with a distinct count, and I've specified a function for drill down. When clicking on a value like '25,' the table is displaying all values instead of the exact ones. Any... See more...
I have a single values panel with a distinct count, and I've specified a function for drill down. When clicking on a value like '25,' the table is displaying all values instead of the exact ones. Any guidance on refining the drill down for precise results @gcusello 
That is a different question (which has been answered many times before). Essentially, you make you field a multivalue field and hide the second value with CSS, but you can sill use the (hidden) valu... See more...
That is a different question (which has been answered many times before). Essentially, you make you field a multivalue field and hide the second value with CSS, but you can sill use the (hidden) value to select the colour by expression. Solved: Re: Highlight row if unique values exist within dy... - Splunk Community
I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is  index=_internal (host=`sim_indexer_url` OR host=... See more...
I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is  index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_* | timechart minspan=30s per_second(kb) as kb by series I need the series information, but it could be binned into 1 whole day.  
I'm having trouble to use any action with a IPV6 value, any action of any app that I try to use a IPV6 on it, they return me this error. Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original'... See more...
I'm having trouble to use any action with a IPV6 value, any action of any app that I try to use a IPV6 on it, they return me this error. Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original': 1 action failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"857e066c-de68-4109-a58b-ee1e515b01dd","parent_action_run":[]},"elements":"2804:1b3:ac03:a6dd:d941:1714:85bb:8b4","networklistid":"7168_ORIGINALBLACKLIST"} Message: "Parameter 'elements' failed validation"   Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original' completed with status: 'failed'. Action Info: Size : 336 bytes : [{"app_name":"Akamai WAF","asset_name":"akamai original","param":{"context": {"guid": "857e066c-de68-4109-a58b-ee1e515b01dd", "artifact_id": 0, "parent_action_run": []}, "elements": "2804:1b3:ac03:a6dd:d941:1714:85bb:8b4", "networklistid": "7168_ORIGINALBLACKLIST"},"status":"failed","message":"Parameter 'elements' failed validation"}]   Always I receive a message "Parameter 'elements' failed validation", in that case is a app to add a IP on a Akamai network list.   If anyone is achieving use IPV6 I will be glad if you can share with me.   Thanks.  
Hi Team, I came across an issue where I have below sample logs in a file  15:30:31.396|Info|Response ErrorMessage: || 15:30:36.610|Info|Logging Rest Client Request...|| 15:30:36.610|Info|Request U... See more...
Hi Team, I came across an issue where I have below sample logs in a file  15:30:31.396|Info|Response ErrorMessage: || 15:30:36.610|Info|Logging Rest Client Request...|| 15:30:36.610|Info|Request Uri: https://abc-domain/api/xy/Identify|| 15:30:36.694|Info|Logging Rest Client Response...|| 15:30:36.694|Info|Response Status Code: 401|| 15:30:36.710|Info|Response Status Description: Unauthorized|| 15:30:36.741|Info|Response Content: || 15:30:36.741|Info|Response ErrorMessage: || 15:30:36.762|Info|Logging Rest Client Request...|| I am using splunk forwarder version splunkforwarder-8.2.4-87e2dda940d1-x64-release with below prop.conf settings   [xyz:mnl] LB_CHUNK_BREAKER = ([\r\n]+)     On splunk portal I am not getting one line as a one event instead I am getting multiple lines as a single event like below         
Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII Url : https://otx.alienvault.com/taxii/collections Post Arguments: ... See more...
Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII Url : https://otx.alienvault.com/taxii/collections Post Arguments: collection=user_AlienVault taxii_username=xxxxxxxxxxxxxyourAPIKeyHerexxxxxxxxx taxii_password=foo Cheers!
Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults | eval ... See more...
Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults | eval User="John", ID="AD" | append [| makeresults | eval User="John", ID="AY9"] | append [| makeresults | eval User="Riya", ID="AD"] | append [| makeresults | eval User="Toby", ID="AR9"] | append [| makeresults | eval User="Nathan", ID="AD"] | append [| makeresults | eval User="Nathan", ID="AR9"] | append [| makeresults | eval User="Sam", ID="AD"] | append [| makeresults | eval User="Sam", ID="AR9"] | fields - _time | table User ID | stats values(ID) as ID by User | mvcombine ID delim="" | eval match=if(match(ID,"AD AR9"),1,0) | search match="1"   Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated.