All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

hi @splunklearner  How about this?   <dashboard version="1.1" theme="light"> <label>Your dashboard name</label> <!-- ===== NOTICE PANEL ===== --> <row> <panel> <html> ... See more...
hi @splunklearner  How about this?   <dashboard version="1.1" theme="light"> <label>Your dashboard name</label> <!-- ===== NOTICE PANEL ===== --> <row> <panel> <html> <div style=" background: linear-gradient(120deg,#fff5f5 0%,#fff 100%); border-left: 6px solid #ff9800; box-shadow: 0 2px 6px rgba(0,0,0,.12); border-radius: 6px; padding: 18px 24px; font-family: -apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif; font-size: 15px; line-height: 1.45;"> <h3 style="color:#d84315; margin:0 0 8px 0; display:flex; align-items:center;"> <!-- unicode icon (search engine–friendly, scales with text size) --> <span style="font-size:32px; margin-right:12px;">⚠️</span> Performance notice </h3> <p style="margin:0 0 10px 0; color:#424242;"> Avoid running the dashboard for long date ranges <strong>(Last 30 days)</strong> unless strictly needed – it may impact performance. </p> <p style="margin:0; color:#424242;"> Before you continue, please select the <strong>Index Name</strong> above. The dashboard will remain empty until an index is chosen. </p> </div> </html> </panel> </row> <!-- rest of your dashboard --> </dashboard>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
In the AppD metric browser for Java apps, there is a metric called Allocated-Objects (MB).  I thought I understood what this was, but I'm getting some unexpected results after making a code change. ... See more...
In the AppD metric browser for Java apps, there is a metric called Allocated-Objects (MB).  I thought I understood what this was, but I'm getting some unexpected results after making a code change. We had a service that had an allocation rate that was too high for the request volume, IMO, so we took a 1-minute flight recording in a test environment.  Total allocation, according to the flight recording samples, was around 35GB.  Based on where the samples were coming from, we made a code change.  When we retested, the total allocation for the same test over 1-minute was only 9GB, approximately 75% less. When we deployed the change and re-ran our endurance test, we saw an object allocation rate that was only slightly lower than the baseline.  Dividing the allocation rate by the request volume, the number had only gone down from 12MB/req to 10MB/req. We do not have verbose GC enabled, so I can't check against that. What could be causing the numbers to be so similar?  Is the allocation rate reported by AppD reliable? thanks  
<form version="1.1" theme="light"> <label>Dashboard</label> <!-- Hidden base search for dropdowns --> <search id="base_search"> <query> index=$index$ ---------- </query> <earliest>$time_tok.earliest$... See more...
<form version="1.1" theme="light"> <label>Dashboard</label> <!-- Hidden base search for dropdowns --> <search id="base_search"> <query> index=$index$ ---------- </query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <fieldset submitButton="false"></fieldset> <row> <panel> <html> <p>⚠️ Kindly avoid running the Dashboard for extended time frames <b>(Last 30 days)</b> unless absolutely necessary, as it may impact performance.</p> <p>To get started, Please make sure to select your <b>Index Name</b> - this is required to display the dashboard data </p> </html> </panel> </row> This is how I am writing the description. But I am not satisfied because it is not eye catchy. When the user opens the dashboard he should see this note first, i want in that way. I am not aware of HTML as well. Can some one help me. Copied icon from google and it seems small in dashboard.  
Try something like this | rex field=field_in_hhmmss "((?<days>\d+)\+)?((?<hours>\d+):)?((?<minutes>\d+):)?(?<seconds>[\d\.]+)" | eval formatted=if(days > 0,days." days, ","").if(days > 0 OR hours > ... See more...
Try something like this | rex field=field_in_hhmmss "((?<days>\d+)\+)?((?<hours>\d+):)?((?<minutes>\d+):)?(?<seconds>[\d\.]+)" | eval formatted=if(days > 0,days." days, ","").if(days > 0 OR hours > 0,hours." hours, ","").if(days > 0 OR hours > 0 OR minutes > 0,minutes." mins, ","").if(seconds > 0,seconds." secs","")
To be fully honest, it's a "double donut" version.  I wouldn't be surprised if it was a bit buggy. 1. Don't just jump head-first into a version just because it's just been released. Unless there are... See more...
To be fully honest, it's a "double donut" version.  I wouldn't be surprised if it was a bit buggy. 1. Don't just jump head-first into a version just because it's just been released. Unless there are fixes for issues hitting you or patches for known vulnerabilities, there's usually no reason to upgrade. Splunk can handle a wide range of older forwarders pretty well. 2. What you can do to help in product development and bug fixing is to gather the installation logs and raise a support ticket. (and - if the problem isn't internal to the installer but can be bypassed or it's triggered by some specific set of conditions - share the knowledge)
I'm not sure but you might need to have to use the --user option as well. In my tests I don't see any output if I give --app but not give --user
Then @livehybrid 's solution should work. When you're getting data from a HF (or any other "full" Splunk instance) you're getting it as already parsed and it completely bypasses most of the props/tra... See more...
Then @livehybrid 's solution should work. When you're getting data from a HF (or any other "full" Splunk instance) you're getting it as already parsed and it completely bypasses most of the props/transforms mechanics, except for RULESETs.
If you're ok with the timestamp just being assigned to an event (no need to have it explicitly written in the event itself),  just parse out the timestamp, cut the whole header and just leave the jso... See more...
If you're ok with the timestamp just being assigned to an event (no need to have it explicitly written in the event itself),  just parse out the timestamp, cut the whole header and just leave the json part on its own. Timestamp recognition takes place very early in the ingestion pipeline so you can do this way and not have to have the "timestamp" field in your json. You'll just have the _time field.
1. As @ITWhisperer noticed - you might be reinventing the wheel since probably the value comes from some earlier time-based data so there could be no need for rendering and parsing this value back an... See more...
1. As @ITWhisperer noticed - you might be reinventing the wheel since probably the value comes from some earlier time-based data so there could be no need for rendering and parsing this value back and forth 2. Are you sure (you might be, just asking) that you want to calculate average of the averages? If the overall average is what you're seeking, an average of averages will not give you that.
Hi ITWhisperer, thank you very much. It is working exactly, as I wish. Thank you.
I like this, its an elegant solution. Let me try this
Thanks @ITWhisperer   Tried that as i found the same on your other posts. But this is what is displays the result as .  How to make it  show as 1h, 45 mins ?  More easily readable format in days, hou... See more...
Thanks @ITWhisperer   Tried that as i found the same on your other posts. But this is what is displays the result as .  How to make it  show as 1h, 45 mins ?  More easily readable format in days, hours ,minutes.  
Hi @livehybrid,   Thanks for this. I looked at the parsing documentation earlier. Is there not a simpler way to do this as I don't need to rewrite fields etc as I have a TA doing it. All I need is ... See more...
Hi @livehybrid,   Thanks for this. I looked at the parsing documentation earlier. Is there not a simpler way to do this as I don't need to rewrite fields etc as I have a TA doing it. All I need is if syslog from this HOST/IP then send to index=opnsense, is this achievable with one parser config or is what you already stated the only way of doing it?
Try something like this | eval average_min=tostring(average_min,"duration")
Thanks a lot. I got the average_min as per your query but now how do i convert / represent it back to hours minutes format ? | stats avg(total_minutes) as average_min   For example your query gave ... See more...
Thanks a lot. I got the average_min as per your query but now how do i convert / represent it back to hours minutes format ? | stats avg(total_minutes) as average_min   For example your query gave me the average_min= 112.9  . How do i convert this back to show as 1 hour, 8 minutes 
Hi @alvinsullivan01  If this is a JSON event then you should be able to use  TIMESTAMP_FIELDS = timestamp #Also adjust TIME_FORMAT to include the timezone. TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z  Did... See more...
Hi @alvinsullivan01  If this is a JSON event then you should be able to use  TIMESTAMP_FIELDS = timestamp #Also adjust TIME_FORMAT to include the timezone. TIME_FORMAT = %Y-%m-%dT%H:%M:%S%z  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @L_Petch  If you havent already, check out https://splunk.github.io/splunk-connect-for-syslog/2.44.2/gettingstarted/create-parser/ which has a guide on how to create custom parsers. This is proba... See more...
Hi @L_Petch  If you havent already, check out https://splunk.github.io/splunk-connect-for-syslog/2.44.2/gettingstarted/create-parser/ which has a guide on how to create custom parsers. This is probably the best way because it prevents finding a potentially fragile alternative process for identifying and routing the data (e.g. when it lands in Splunk with Props/Transforms). Here is a sample to get you started: In /opt/sc4s/local/config/app_parsers/ # app-opnsense.conf application app-opnsense[sc4s-network-source] { filter { program("filterlog" flags(prefix)) or program("opnsense" flags(prefix)) or host("opnsense*" type(glob)) or message("opnsense" flags(substring)) }; parser { p_set_netsource_fields( vendor("pfsense") # Use pfsense as base product("opnsense") ); }; }; Then create the destination in /opt/sc4s/local/config/destinations/: # dest-opnsense.conf destination d_opnsense { splunk( class(splunk_hec) template("$(format-splunk-hec)") hec_token("YOUR_HEC_TOKEN") url("https://your-splunk:8088/services/collector/event") index("opnsense") source("${.splunk.source}") sourcetype("opnsense:syslog") ); }; log { source(s_network); filter(f_is_source_identified); if (match("opnsense" value("fields.sc4s_vendor"))) { destination(d_opnsense); flags(flow-control,final); }; };  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Silah  I dont think its possible to save these after the execution - however I wonder if you could use the javascript execution to send a metric to Splunk Obervability like this: function sendS... See more...
Hi @Silah  I dont think its possible to save these after the execution - however I wonder if you could use the javascript execution to send a metric to Splunk Obervability like this: function sendStockMetric() { const status = document.body.textContent.includes("OUT OF STOCK") ? 0 : 1; fetch('https://ingest.{REALM}.signalfx.com/v2/datapoint', { method: 'POST', headers: { 'X-SF-TOKEN': 'YOUR_TOKEN', 'Content-Type': 'application/json' }, body: JSON.stringify({ gauge: [{ metric: 'shop.item.stock_status', value: status, dimensions: { item: 'your_product_001', status: status === 1 ? 'instock' : 'oos' } }] }) }); } sendStockMetric();  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi All   I am building synthetic monitoring in Observability Cloud for an online shop. One thing I want to monitor is whether or not an items stock status is correct. I have a synthetic step "Sav... See more...
Hi All   I am building synthetic monitoring in Observability Cloud for an online shop. One thing I want to monitor is whether or not an items stock status is correct. I have a synthetic step "Save return value from JavaScript" to this effect: function checkStockStatus() { if (document.body.textContent.includes("OUT OF STOCK")) { return "oos"; } return "instock"; } checkStockStatus();   I am storing this in a variable named stockStatus Is there any way I can use the value of this variable in a dashboard, or to trigger an alert ? For example, say I am selling a golden lamp, and it gets sold out, how can I get a dashboard to show "oos" somewhere ?   Thanks       
Hi @alvinsullivan01 , this seems to be a json format, the raw data in a json format are different than the visualized ones, so to check you regex, open the raw data visualization and not the json vi... See more...
Hi @alvinsullivan01 , this seems to be a json format, the raw data in a json format are different than the visualized ones, so to check you regex, open the raw data visualization and not the json visualization: probablu you have to add some backslash to your regex. Ciao. Giuseppe