All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

1. This part | table hostname sourceIp | dedup hostname You realize that you will lose additional IP addresses on multihomed hosts? 2. Depending on your data (number of results, size of raw events... See more...
1. This part | table hostname sourceIp | dedup hostname You realize that you will lose additional IP addresses on multihomed hosts? 2. Depending on your data (number of results, size of raw events, time of each search execution) there could be different ways to do that. There is a "join" command but its use is generally discouraged. The typical way is to either append two result sets and do stats by the common field(s) or do a search across two sets, classify the fields into one of the sets (possibly rename fields) and then do the stats.    
Licensing is fine. I switch to TCP from UDP input from the SAME source and everything is fine. All the logs are ingested and indexed and are searchable properly. UDP seems to be the issue. I am usi... See more...
Licensing is fine. I switch to TCP from UDP input from the SAME source and everything is fine. All the logs are ingested and indexed and are searchable properly. UDP seems to be the issue. I am using the admin account created during install. Splunk installed on windows server with admin privileges.  It is just a single head. No cluster or separate indexers. 
I am trying to Install event services from Enterprice Console But don't know this error how to handle it  This is Error : Task failed: Starting the Events Service api store node on host: newMachine... See more...
I am trying to Install event services from Enterprice Console But don't know this error how to handle it  This is Error : Task failed: Starting the Events Service api store node on host: newMachineAp as user: root with message: Connection to [<a href="<a href="http://newMachineAp:9080/_ping" target="_blank">http://newMachineAp:9080/_ping</a>" target="_blank"><a href="http://newMachineAp:9080/_ping" target="_blank">http://newMachineAp:9080/_ping</a></a>] failed due to [Failed to connect to newmachineap/192.168.27.211:9080].
How old is your deployment? Because the "internal" Splunk communication on 8089 and KVstore on 8191 has been TLS-enabled for a long time now by default. It's just that if you've not configured it wit... See more...
How old is your deployment? Because the "internal" Splunk communication on 8089 and KVstore on 8191 has been TLS-enabled for a long time now by default. It's just that if you've not configured it with your own certs, it's using the default Splunk certs (which is not the best idea). But the TLS as such is enabled. With inputs/outputs it's a different story - you have to explicitly enable splunktcp-ssl inputs and outputs. And keep in mind that you can't have both TLS and non-TLS inputs if you're using indexer discovery.
I am not sure how we can help you - it is not clear what count_gb and count are, do you just need to multiply them together to get your answer? | eval product=count*count_gb
nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: {     "optio... See more...
nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: {     "options": {         "items": [             {                 "label": "All",                 "value": "*"             }         ],         "defaultValue": "*",         "token": "WinTimeStamp"     },     "title": "Multiselect Input Title",     "type": "input.multiselect",     "dataSources": {         "primary": "ds_ICA_General"     } } classic studio code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search base="ICA_General"> <query>  | stats values(WinTimeStamp) as WinTimeStamp_ | sort WinTimeStamp_</query> </search> </input>
individual search is working for below which extracts host_name field and joining with host_name field in search but getting error " Error in 'rex' command: Invalid argument: '('  index=_in... See more...
individual search is working for below which extracts host_name field and joining with host_name field in search but getting error " Error in 'rex' command: Invalid argument: '('  index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." but its giving less results when using below search but individual search has many  here is the full query    index=_internal sourcetype=splunkd source="/opt/splunk/var/log/splunk/metrics.log" | rex field=hostname "(?<host_name>[^.]+)\." [ | table host_name, sourceIp
Please check the above ss , how can i convert count column in gb , and how am able to know which measurement of count is.
Hello everyone, I am encountering an issue with the Alert Manager Enterprise application; following the triggering of an alert, no event is created in my dedicated index. The status of the health... See more...
Hello everyone, I am encountering an issue with the Alert Manager Enterprise application; following the triggering of an alert, no event is created in my dedicated index. The status of the health check is okay, and we are able to create test events:    Another point to note is that in the application's troubleshooting logs, when an alert is triggered, the event creation occurs but nothing is created in the index: There are no permission issues, as I have confirmed by manually writing a search that we can create events in the index: | makeresults | eval user="TEST", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default This successfully creates my event in my index. I have exhausted my troubleshooting ideas, do you have any suggestions on how to resolve this issue? Thank you for your help. MCH
@djoherl all the necessary add-ons for the onboarded logsources are installed? Health check dashboard will give some information to start with...
@maayan I would assume if you open the dashboard and there are three dots to the top right corner, if you click there you will see an option to clone in dashboard studio..
how can i convert classic dashboard type to studio? 
@maayan clone the classic dashboard to dashboard studio?
@maayan Please check multiselect input using Splunk Dashboard Studio https://docs.splunk.com/Documentation/Splunk/latest/DashStudio/inputMulti
how to change my code to something like the filter in the image?  https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/inputMulti
Sorry for late answer. By "\"source\" originalField" I mean field which contains  this kind of logs  
"The best one" actually depends on your: 1) Business needs 2) Budget (and other) constraints.
Hi, I implemented an input filter, but i want to improve it. Customers want to select multiple values from the filter and then select more values. in the current situation they need to select 'All... See more...
Hi, I implemented an input filter, but i want to improve it. Customers want to select multiple values from the filter and then select more values. in the current situation they need to select 'All ' and then select the values again (each time they want to add values they need to select All-->select values-->remove All) in addition, they want to select all values except one value, which currently takes time to do. Is there a smarter filter input in Splunk? my code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search> <query> | where $Name$ | dedup WinTimeStamp | sort WinTimeStamp</query> </search> </input> Thanks, Maayan
@bowesmana  I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are g... See more...
@bowesmana  I have made my window as below: I have taken time Range as Last 15 minutes and set Cron schedule as */15 * * * * Still not getting emails and Incidents on time If the events are getting generated at 12:30 pm IST I want alert should triggered at that time itself via email or via incident. @bowesmana  can you please help me what time Range and cron schedule I should set  to get alerts on time.
Hi @VK18 .. for HF to indexer (for LM also the method is similar i think).. pls check this: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificat... See more...
Hi @VK18 .. for HF to indexer (for LM also the method is similar i think).. pls check this: https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/ConfigureSplunkforwardingtousesignedcertificates