All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: {     "optio... See more...
nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: {     "options": {         "items": [             {                 "label": "All",                 "value": "*"             }         ],         "defaultValue": "*",         "token": "WinTimeStamp"     },     "title": "Multiselect Input Title",     "type": "input.multiselect",     "dataSources": {         "primary": "ds_ICA_General"     } } classic studio code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search base="ICA_General"> <query>  | stats values(WinTimeStamp) as WinTimeStamp_ | sort WinTimeStamp_</query> </search> </input>
individual search is working for below which extracts host_name field and joining with host_name field in search but getting error " Error in 'rex' command: Invalid argument: '('  index=_in... See more...
individual search is working for below which extracts host_name field and joining with host_name field in search but getting error " Error in 'rex' command: Invalid argument: '('  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." but its giving less results when using below search but individual search has many  here is the full query    index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." [ | table host_name, sourceIp
Please check the above ss , how can i convert count column in gb , and how am able to know which measurement of count is.
Hello everyone, I am encountering an issue with the Alert Manager Enterprise application; following the triggering of an alert, no event is created in my dedicated index. The status of the health... See more...
Hello everyone, I am encountering an issue with the Alert Manager Enterprise application; following the triggering of an alert, no event is created in my dedicated index. The status of the health check is okay, and we are able to create test events:    Another point to note is that in the application's troubleshooting logs, when an alert is triggered, the event creation occurs but nothing is created in the index: There are no permission issues, as I have confirmed by manually writing a search that we can create events in the index: | makeresults | eval user="TEST", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default This successfully creates my event in my index. I have exhausted my troubleshooting ideas, do you have any suggestions on how to resolve this issue? Thank you for your help. MCH
@djoherl all the necessary add-ons for the onboarded logsources are installed? Health check dashboard will give some information to start with...
@maayan I would assume if you open the dashboard and there are three dots to the top right corner, if you click there you will see an option to clone in dashboard studio..
how can i convert classic dashboard type to studio? 
@maayan clone the classic dashboard to dashboard studio?
@maayan Please check multiselect input using Splunk Dashboard Studio https://docs.splunk.com/Documentation/Splunk/latest/DashStudio/inputMulti
how to change my code to something like the filter in the image?  https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/inputMulti
Sorry for late answer. By "\"source\" originalField" I mean field which contains  this kind of logs  
"The best one" actually depends on your: 1) Business needs 2) Budget (and other) constraints.
Hi, I implemented an input filter, but i want to improve it. Customers want to select multiple values from the filter and then select more values. in the current situation they need to select 'All... See more...
Hi, I implemented an input filter, but i want to improve it. Customers want to select multiple values from the filter and then select more values. in the current situation they need to select 'All ' and then select the values again (each time they want to add values they need to select All-->select values-->remove All) in addition, they want to select all values except one value, which currently takes time to do. Is there a smarter filter input in Splunk? my code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search> <query> | where $Name$ | dedup WinTimeStamp | sort WinTimeStamp</query> </search> </input> Thanks, Maayan
@bowesmana  I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are g... See more...
@bowesmana  I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are getting generated at 12:30 pm IST I want alert should triggered at that time itself via email or via incident. @bowesmana  can you please help me what time Range and cron schedule I should set  to get alerts on time.
Hi @VK18 .. for HF to indexer (for LM also the method is similar i think).. pls check this: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificat... See more...
Hi @VK18 .. for HF to indexer (for LM also the method is similar i think).. pls check this: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificates  
Hi All, Trying to create a dashboard in studio with dynamic coloring elements for single value searches (ie traffic lights) When I go to the Coloring > Dynamic Elements dropdown to select Background... See more...
Hi All, Trying to create a dashboard in studio with dynamic coloring elements for single value searches (ie traffic lights) When I go to the Coloring > Dynamic Elements dropdown to select Background it will not select. A click just has it disappear and show none on the dropdown. Search works fine and displays the correct value. Running enterprise on prem version 9.0.0 BUILD 6818ac46f2ec. Have not found anything on the net or here to suggest this version has an issue. Looking to update to 9.1.1 but as this is production that is a planned exercise. Search is  index=SEPM "virus found" |stats count(message) as "Infected hosts" and I have this traffic light in the normal dashboard build. Just trying studio see how it is.     Any help appreciated!
Hi Team, At present, SSL encryption is enabled between the Universal Forwarder (UF) and the Heavy Forwarder (HF), while communication from HF to Indexers occurs without SSL encryption. However, ther... See more...
Hi Team, At present, SSL encryption is enabled between the Universal Forwarder (UF) and the Heavy Forwarder (HF), while communication from HF to Indexers occurs without SSL encryption. However, there are plans to establish an SSL channel between the HF and Indexers in the future. Additionally, communication between Indexers and the License Master, as well as between HF and the License Master, currently operates through non-SSL channels. There is a requirement to transition these communications to SSL-enabled connections. Could you provide guidance or documentation outlining the necessary implementation steps for securing the communication from Indexers & HF to License Master to facilitate these changes?
Hi, Thanks for your response. My desired results: Item StartTime EndTime Duration A       02:05:00    02:15:00 00:10:00 B       02:15:05    02:25:05 00:10:00 B       02:40:05    02:45:05 00:05:... See more...
Hi, Thanks for your response. My desired results: Item StartTime EndTime Duration A       02:05:00    02:15:00 00:10:00 B       02:15:05    02:25:05 00:10:00 B       02:40:05    02:45:05 00:05:00 I had tried similar methods like your but got wrong results. Fail duration should be calculated from first fail to first success. Thus actual record count should be 3 instead of 5. Sorting may not be the root cause for my question. It seems that if there are 2 "fail" events, "transaction" commands generates 2 overlapped records. B      02:20:05(fail)     02:25:05(success)  00:05:00 B      02:15:05(fail)     02:30:05(success)  00:15:00 Time duration of first one is included in second one. 02:30:05(success) should not be considered as the end of fail event. 02:25:05(success) is the correct one.
I want to point out that these two warnings are breaking my jobs because on some machines I am using the splunkforwarder CLI to run query on the splunk cluster and export the result to files.   http... See more...
I want to point out that these two warnings are breaking my jobs because on some machines I am using the splunkforwarder CLI to run query on the splunk cluster and export the result to files.   https://docs.splunk.com/Documentation/Splunk/9.1.1/Search/ExportdatausingCLI These two extra warning lines were now written to the export files as well. I think it is ok for the CLI to print warnings, but the splunk CLI should follow the best practice and write these warnings to the stderr.  But it's writing them to the stdout, so that we can't use the standard practice of " 2> err.txt 1> export.csv" to handle warnings. Now I have to add these to ALL the script files which are running the splunkforwarder CLI, which is pretty ugly: " | grep -vi "warning:" > export.csv" Wish there is a flag to disable warnings, or the splunkforwarder CLI should at least write them to stderr instead of stdout.
Hi @cpuffe ... this can get mixed views depending on the person's Linux interests.  You can decide depending upon your budget and support team members Linux preferences.  RHEL is a good choice too.... See more...
Hi @cpuffe ... this can get mixed views depending on the person's Linux interests.  You can decide depending upon your budget and support team members Linux preferences.  RHEL is a good choice too.   For full list of supported OS, you can check this documentation.. thanks.  https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/Systemrequirements