All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Why not fix the issues with the filters in the classic dashboard? Studio is still behind when it comes to functionality, so fixing your issues with Classic might be the quickest way to give your user... See more...
Why not fix the issues with the filters in the classic dashboard? Studio is still behind when it comes to functionality, so fixing your issues with Classic might be the quickest way to give your users what they want.
Hi, we have the following error in one of the splunk instances: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk l... See more...
Hi, we have the following error in one of the splunk instances: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. and the following warning exist in the licensing section for the " auto_generated_pool_download-trial " pool: This pool has exceeded its configured poolsize=524288000 bytes. A warning has been recorded for all members whereas the mentioned splunk is not trial version, It's an Enterprise version.  
Hi, I found 2 previous tickets about this cases (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-tabs-in-splunk-dashboard-studio/td-p/598020) I need to convert my d... See more...
Hi, I found 2 previous tickets about this cases (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-tabs-in-splunk-dashboard-studio/td-p/598020) I need to convert my dashboard to studio dashboard from classic (because customers weren't satisfied with the filters in the classic version), i need to add tabs to my dashboard because i can't insert all charts in one page (too much charts and different topics) How can I implement tabs? or maybe a workaround solution? I don't want to create each tab as a different dashboard. Thanks, Maayan
Try something like this index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in process... See more...
Try something like this index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request") | rex field=_raw " (?<service_name>\w+)-prod" | eval err_flag = if(searchmatch("Util.validateAuth" AND "METHOD_ENTRY"), 1,0) | eval success_flag = if(searchmatch("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request"), 1,0) | stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name
Hi, i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.   index=sso Appid="APP-49" PROD ("Util.va... See more...
Hi, i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.   index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY")   - ERROR index=sso Appid="APP-49" PROD ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")      - SUCCESS   need to add both the queries and provide the count for error and count for success but while using this query, sum of the error transaction level!=error so the error count is not matching. index=ss Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR index=sso ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")  | rex field=_raw " (?<service_name>\w+)-prod" | eval err_flag = if(environment="nonprod", 1,0) | eval success_flag = if(level!="ERROR", 1,0) | stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name   Please help it would be great.  
hi, I have splunk 9.0.6 and sysmon add-on 3.1.0.  The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.   But, in the automatic lookup,... See more...
hi, I have splunk 9.0.6 and sysmon add-on 3.1.0.  The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.   But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode".   Searching for this "eventcode" lookup, it belongs to the app Defender.   Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup".   Do you have any idea what might be happening?
Thanks Pickle, The config tracker was pretty useful as I found the following settings in app.conf file (deployer_push_mode&install_source_local_checksum) have been changed to new value then got re... See more...
Thanks Pickle, The config tracker was pretty useful as I found the following settings in app.conf file (deployer_push_mode&install_source_local_checksum) have been changed to new value then got reverted to old value and also found "deployer_push_mode=full" then deleted from some SHC members  meanwhile "deployer_push_mode=full" is set on the deployer in app.conf file of the app     
@AL3Z please check if the source is generating the data in the event viewer with the information that you are looking ?
@bharathkumarnec  Hi, After investigating I came across audit process creation is this causing this issue ?? https://docs.splunk.com/Documentation/ES/7.2.0/Admin/ConfigureLogging  
Splunk Slack is not support. Create a case via support portal.
HI I agree that is correct and this was an example of 2 SPLs I had, but I had other issues else where the SPLs were different. The UNION command was able to help me out in this case. Thanks Robert
You're asking a wrong question. Your both searches start with the same base search so either you should be able to do all in one go or your searches produce differently aggregated results so it does... See more...
You're asking a wrong question. Your both searches start with the same base search so either you should be able to do all in one go or your searches produce differently aggregated results so it doesn't make sense to combine them with appendcols.
  How to get rid of Splunk UNKNOWN_VERSION on splunk UI. This is happening on all the browsers (Chrome, Edge, Firefox)  and clearing the cache does not help Login into splunk and observe version b... See more...
  How to get rid of Splunk UNKNOWN_VERSION on splunk UI. This is happening on all the browsers (Chrome, Edge, Firefox)  and clearing the cache does not help Login into splunk and observe version by mouse over on tab Refresh the page it will be shown correctly  Now logout and login again  Observe version by mouse over on tab. It again shows UNKNOWN_VERSION    
i also want to know how to increase all labels and title in bar chart (dashboard studio)
@dinesh_bendigo I haven't tested this, but I don't think this will work. The collection you mention isn't exported to the system, but instead is app only (splunk-dashboard-studio).  Because of this i... See more...
@dinesh_bendigo I haven't tested this, but I don't think this will work. The collection you mention isn't exported to the system, but instead is app only (splunk-dashboard-studio).  Because of this it's not clear to me how allowing the user role read permissions to the splunk-dashboard-images will allow them to upload images on dashboards in other apps that aren't splunk-dashboard-studio.
Hi - Is there a way to get 2 nonstream Searches to run in parallel in the same SPL? I am using "appendcols", but I think one is waiting for the other to finish. I can't use multisearch as I don't... See more...
Hi - Is there a way to get 2 nonstream Searches to run in parallel in the same SPL? I am using "appendcols", but I think one is waiting for the other to finish. I can't use multisearch as I don't have stream commands. The issue is displaying the license used by Splunk and I want to run 2 SPL in parallel. However, it's very slow to run if I run 2 in sequence. Thanks in advance for any help   index=_internal [ `set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool = "*" | search idx != "mlc_log_drop" | timechart span=1d sum(b) AS Live_Data fixedrange=false | fields - _timediff | foreach * [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)] | appendcols [ search index=_internal [ `set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool = "*" | search idx = "mlc_log_drop" | timechart span=1d sum(b) AS Log_Drop_Data fixedrange=false | fields - _timediff | foreach * [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]]      
No, unfortunately I didn't get it solved. But I didn't spend any more time on the problem.
Hi I have splunk Enterprise environment. After doing SAML Configuration via frontend it's not redirecting to portal after authentication. What can be the reason?  
Hi, I'm running the curl command:   curl -vvvvv https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk <token>" -d '{"sourcetype": "my_sample_data", "event": "p... See more...
Hi, I'm running the curl command:   curl -vvvvv https://prd-p-xxxxx.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk <token>" -d '{"sourcetype": "my_sample_data", "event": "ping"}'   and I got: * Trying <IP>:8088... * connect to <IP> port 8088 failed: Operation timed out * Failed to connect to prd-p-xxxxx.splunkcloud.com port 8088 after 17497 ms: Couldn't connect to server * Closing connection 0 curl: (28) Failed to connect to prd-p-xxxxx.splunkcloud.com port 8088 after 17497 ms: Couldn't connect to server I have free trial, HEC is enabled and token is valid what could cause this problem?
You are correct, mvexpand of a values() or list() field will duplicate the event. If you want to count by ErrorCode separately, include ErrorCode in your by clause of the stats command.