All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@ITWhisperer  Double checked, and it was indeed an issue of permissions of the lookup transform A big thank from me for helping!
One additional remark about your searches (both the outer one and the subsearch) - don't use wildcards at the beginning of your search term if you can avoid it.
"i understand that there is way to send particular field/value to a nullqueue" You understand wrong, I'm afraid. As @richgalloway pointed out - you can send _whole events_ to nullQueue if they matc... See more...
"i understand that there is way to send particular field/value to a nullqueue" You understand wrong, I'm afraid. As @richgalloway pointed out - you can send _whole events_ to nullQueue if they match certain regex (or other criteria in case you use INGEST_EVAL). You can use transforms to cut specific parts of the events with regexes. But in the ingest pipeline Splunk has no knowledge about the search-time fields (the ones created with REPORT or EXTRACT entries as well as calculated fields or field aliases). It only knows the index-time fields (the default metadata ones and custom index-time extractions if any are defined). So if you want to trim your events you'd have to manipulate them with regexes. But since your events are structured, it'd be probably better to process your events before ingesting them into Splunk with something that can interpret XML and can selectively filter it based on XML structure, not plain regexes.
There are no miracles. Something must have been changed by someone. 1. Use btool to see where the settings come from 2. Check the config tracker to see when there were changes made to your environ... See more...
There are no miracles. Something must have been changed by someone. 1. Use btool to see where the settings come from 2. Check the config tracker to see when there were changes made to your environment. https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html?locale=en_us
It seems to be no different than other working lookups on the same application. What else can I check other than the lookup's application permissions?
Is the lookup visible to the user you are authenticating with for the API call?
That is a different question, given that you don't appear to have any dates in your dataset.
That works although it makes little difference to the pie chart
Hello all, I use Splunk API in order to export an SPL search. All queries are working well on my local dev environment and most work on production server. All queries that include or read from a c... See more...
Hello all, I use Splunk API in order to export an SPL search. All queries are working well on my local dev environment and most work on production server. All queries that include or read from a certain query (let's call it "SessionEntities") seem to return empty. For instance the query, " | inputlookup  SessionEntities", returns empty. The same query works both localy and even stranger, works on Splunk search page on the same server, while with the same query and different lookup, it returns with results. That lookup is no different than the others (no bigger content size), but still. Anyone has an idea of why could this be happening?
Error thrown: Internal configuration file error. Something wrong within the package or installation step. Contact your administrator for support. Detail: Error: duplicate l keys is not allowed at ap... See more...
Error thrown: Internal configuration file error. Something wrong within the package or installation step. Contact your administrator for support. Detail: Error: duplicate l keys is not allowed at appendError. I'm trying to create a new app in Splunk add-on builder. This error is thrown whenever I load the app's inputs or configuration page
What I mean by "revert certain application objects back to old settings", is that we noticed that 4 applications were reverted to the old version and the objects affected are dashboards, saved search... See more...
What I mean by "revert certain application objects back to old settings", is that we noticed that 4 applications were reverted to the old version and the objects affected are dashboards, saved searches, search files, porpos.conf and transfroms.conf   For example: We configured alert  to run every 2 minutes, then changed it to run every 5 minutes, and after the issue it was switched back to run every 2 minutes   The last bundle was pushed from the deployer server on November 7th and the issue occurred on November 10th      
Hi all, I am new to SPLUNK and would appreciate some community wisdom. We are trying to get data from an external AWS s3 bucket (hosted and managed by 3rd party supplier) onto our internal enterpris... See more...
Hi all, I am new to SPLUNK and would appreciate some community wisdom. We are trying to get data from an external AWS s3 bucket (hosted and managed by 3rd party supplier) onto our internal enterprise SPLUNK instance. We do not have any AWS accounts.  We have considered whitelisting but it is not secure enough. The supplier does not use AWS firehose Any ideas? 
Hi What you are actually  meaning with "the objects of specific Apps reverted back to old settings"? Old lookups are in use, old KOs are in use after you apply shcluster-bundle on deployer? It tha... See more...
Hi What you are actually  meaning with "the objects of specific Apps reverted back to old settings"? Old lookups are in use, old KOs are in use after you apply shcluster-bundle on deployer? It that then yo should read and check these: Choose a deployer push mode [shclustering] r. Ismo
Hi couple of additional comments: When you are indexing data REPORT-didn't executed it's (as EXTRACT) works only on search time. When you have several TRANSFORMS stanzas on own lines then those a... See more...
Hi couple of additional comments: When you are indexing data REPORT-didn't executed it's (as EXTRACT) works only on search time. When you have several TRANSFORMS stanzas on own lines then those are applied based on those names ASCII order! If you want apply those in specific order put those in one TRANSFORMS-xyz = a, e, c, b, d or ensure that names are evaluated on correct order (use eg 000x, 001y, 002a etc) One good instructions for index phase https://www.aplura.com/assets/pdf/props_conf_order.pdf. Aplura have some other Cheat Sheets which helps. r. Ismo  
You should look css and create your own to update those properties.
Hi Probably best to create a support case and/or add comments/question to docs and/or ask this on Slack? r. Ismo
One more vote to not to use join or union. It usually have more issues than it solves. Here is one old post how to replace join with stats with different join types https://community.splunk.com/t5/S... See more...
One more vote to not to use join or union. It usually have more issues than it solves. Here is one old post how to replace join with stats with different join types https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 There are also many .conf presentations why you should use stats instead of join like https://conf.splunk.com/watch/conf-online.html?search=join%20without%20join#/ r. Ismo
Hi it sounds like you have just normal linux with standard syslog configured as take all remote syslog entries into one log file. Instead of that it's better to configure syslog (rsyslog or syslog-n... See more...
Hi it sounds like you have just normal linux with standard syslog configured as take all remote syslog entries into one log file. Instead of that it's better to configure syslog (rsyslog or syslog-ng) to separate logs into own files like (/var/logs/syslogs/<host>/<date>/xyz) when they comes in. Then just read those files and use that <host> as a hostname when you are sending those to splunk. Another option is setup SC4S to collect and send those syslog to splunk. r. Ismo
and no, it's NOT Dashboard Studio compatible - I steer well clear of DS for the time being as XML is so much more flexible at the current time.
That was an XML example dashboard and is dependent on you installing the number display viz - otherwise it will not work at all. As for 100 values issue - I mentioned that would be a problem is you ... See more...
That was an XML example dashboard and is dependent on you installing the number display viz - otherwise it will not work at all. As for 100 values issue - I mentioned that would be a problem is you had more than 100 results - one of the other posts showed an alternative solution that did not need to use list(), but used streamstats+eventstats. Note that it also highlighted a difference in behaviour when having scores of the same value in that percentrank would be different for each of the students with the same score.