Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-16-2023
12:03 AM
2 Karma
Hi Probably best to create a support case and/or add comments/question to docs and/or ask this on Slack? r. Ismo
11-16-2023
12:00 AM
1 Karma
One more vote to not to use join or union. It usually have more issues than it solves. Here is one old post how to replace join with stats with different join types https://community.splunk.com/t5/S...
See more...
One more vote to not to use join or union. It usually have more issues than it solves. Here is one old post how to replace join with stats with different join types https://community.splunk.com/t5/Splunk-Search/What-is-the-relation-between-the-Splunk-inner-left-join-and-the/m-p/391288/thread-id/113948 There are also many .conf presentations why you should use stats instead of join like https://conf.splunk.com/watch/conf-online.html?search=join%20without%20join#/ r. Ismo
11-15-2023
11:54 PM
Hi it sounds like you have just normal linux with standard syslog configured as take all remote syslog entries into one log file. Instead of that it's better to configure syslog (rsyslog or syslog-n...
See more...
Hi it sounds like you have just normal linux with standard syslog configured as take all remote syslog entries into one log file. Instead of that it's better to configure syslog (rsyslog or syslog-ng) to separate logs into own files like (/var/logs/syslogs/<host>/<date>/xyz) when they comes in. Then just read those files and use that <host> as a hostname when you are sending those to splunk. Another option is setup SC4S to collect and send those syslog to splunk. r. Ismo
11-15-2023
11:54 PM
1 Karma
and no, it's NOT Dashboard Studio compatible - I steer well clear of DS for the time being as XML is so much more flexible at the current time.
11-15-2023
11:53 PM
1 Karma
That was an XML example dashboard and is dependent on you installing the number display viz - otherwise it will not work at all. As for 100 values issue - I mentioned that would be a problem is you ...
See more...
That was an XML example dashboard and is dependent on you installing the number display viz - otherwise it will not work at all. As for 100 values issue - I mentioned that would be a problem is you had more than 100 results - one of the other posts showed an alternative solution that did not need to use list(), but used streamstats+eventstats. Note that it also highlighted a difference in behaviour when having scores of the same value in that percentrank would be different for each of the students with the same score.
11-15-2023
11:44 PM
Hi @doadams85 , sorry but it isn't clear, could you share some sample of your logs and the search you're using? Ciao. Giuseppe
11-15-2023
11:44 PM
Thank you @ITWhisperer Can you also help me on how I can add another column "Previous week Training Completion%" So that I can compare what is the progress from previous week to present week Tra...
See more...
Thank you @ITWhisperer Can you also help me on how I can add another column "Previous week Training Completion%" So that I can compare what is the progress from previous week to present week Training completion.
11-15-2023
11:41 PM
1 Karma
Hi @MrJohn230 , I continue to prefer the solution I hinted because union is very similar to join and maintain the ame limit of 50,000 results like all the subsearches. If it solves your requirement...
See more...
Hi @MrJohn230 , I continue to prefer the solution I hinted because union is very similar to join and maintain the ame limit of 50,000 results like all the subsearches. If it solves your requirement, use it, but I hint to tale practice using stats that's better and faster. did you solved the initial issue of the eval? Ciao. Giuseppe
11-15-2023
08:59 PM
@bowesmana 1. Should I download and install "Number Display Viz" app first in Splunk before applying your commands? 2. Will it work in Dashboard Studio? It looks like your commands are XML format...
See more...
@bowesmana 1. Should I download and install "Number Display Viz" app first in Splunk before applying your commands? 2. Will it work in Dashboard Studio? It looks like your commands are XML format 3. Also, I got this error when applying your solutions since the number of students are more than 100 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored. Please suggest.. I appreciate your help.. Thank you
11-15-2023
08:53 PM
Hello, Your suggestion worked. Thanks for your help. I accepted this as a solution Although the value field was labeled as "row 1". I was able to rename it as "value" field | rename "row 1" as val...
See more...
Hello, Your suggestion worked. Thanks for your help. I accepted this as a solution Although the value field was labeled as "row 1". I was able to rename it as "value" field | rename "row 1" as value Please let me know if this is a good approach.. Thanks
11-15-2023
08:46 PM
@woodcock What is the best way to modify this script to support the API token approach? I have tried a few different versions, but am unable to get it to work properly. So....something like: curl...
See more...
@woodcock What is the best way to modify this script to support the API token approach? I have tried a few different versions, but am unable to get it to work properly. So....something like: curl -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2......."
11-15-2023
07:20 PM
Works on windows to, thanks for the Tip, I was start to loose my mind
11-15-2023
06:33 PM
Hi@richgalloway , I've heard that the field name removal isn't feasible while we're receiving logs from the syslog server. Is that correct to your knowledge? Thanks
11-15-2023
05:29 PM
@LukeMurphey I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app t...
See more...
@LukeMurphey I'm trying to run the File/Directory Information Input app (v1.4.5) on a universal forwarder. It's a windows server and I've installed the latest version of python 3 (and set the app to use 3). I keep getting the same 3 errors in splunkd (copied from another post as my system is isolated): "09-18-2019 10:47:10.099 +0200 ERROR ModularInputs - Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified. 09-18-2019 10:47:10.356 +0200 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts 09-18-2019 10:47:10.356 +0200 ERROR ModularInputs - Unable to initialize modular input "file_meta_data" defined in the app "file_meta_data": Introspecting scheme=file_meta_data: Unable to run "python "C:\Program Files\SplunkUniversalForwarder\etc\apps\file_meta_data\bin\file_meta_data.py" --scheme": child failed to start: The system cannot find the file specified.." (Except it says Python3.exe instead of python). Other posts with these errors did not have python installed, or one said their path environment variable was incorrect but didn't elaborate. My path is set with the 2 default values from the installer if that matters.
Labels
- Labels:
-
modular input
-
universal forwarder
11-15-2023
05:28 PM
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP...
See more...
Hi I am trying to use the hyperlink markdown you shared with someone else, but when I add the [Markdown Guide](https://www.markdownguide.org) inside the email body of sending an email action (SMTP), I get exactly above without a link added, just text, no hyperlink. Anybody who could help me figure out how I can get a hyperlink to show in the body of the send email action? I am on version 5.3.2.88192 - I also tried the ,<a> tag with the href and that doesn't work either.
11-15-2023
04:45 PM
1 Karma
I don't have a SEDCMD that would do that well. SEDCMD applies to _raw rather than individual fields so a regex would have to be very specific to avoid removing too many spaces or otherwise damaging ...
See more...
I don't have a SEDCMD that would do that well. SEDCMD applies to _raw rather than individual fields so a regex would have to be very specific to avoid removing too many spaces or otherwise damaging other fields.
11-15-2023
04:44 PM
@inventsekar It has been resolved- Thanks
11-15-2023
04:41 PM
>>> I developed a regex to stripe out the unwanted events. It's working as expected. so, may i know if your problem is resolved ah.. or do you some issues still, pls suggest, thanks. Karma po...
See more...
>>> I developed a regex to stripe out the unwanted events. It's working as expected. so, may i know if your problem is resolved ah.. or do you some issues still, pls suggest, thanks. Karma points / upvotes are appreciated, thanks.
11-15-2023
04:38 PM
@inventsekar Thanks for your response .We have UF and indexer, I developed a regex to stripe out the unwanted events. It's working as expected. SEDCMD-Remove1=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2...
See more...
@inventsekar Thanks for your response .We have UF and indexer, I developed a regex to stripe out the unwanted events. It's working as expected. SEDCMD-Remove1=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+<Event was scheduled based on job definition.>// SEDCMD-Remove2=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+<Executing at CA_AGENT>// SEDCMD-Remove3=s/^\[\d{2}\/\d{2}\/\d{4}\s\d{2}\:\d{2}:\d{2}]\s+-+//
11-15-2023
04:35 PM
1 Karma
A common way to re-ingest data is by using the splunk add oneshot command. Splunk will re-ingest everything in the file, however, without regard to events that were previously indexed. To ingest on...
See more...
A common way to re-ingest data is by using the splunk add oneshot command. Splunk will re-ingest everything in the file, however, without regard to events that were previously indexed. To ingest only missing events, I would copy the file and remove the events that you don't want to read in again.
