All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I'm new and learning, can you please help with below query I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new t... See more...
I'm new and learning, can you please help with below query I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new to splunk Name                                                                                                Status assetPortfolio_ValidateAddAssetForOthers                    passed assetPortfolio_ValidatePLaceHolderText                         failure assetPortfolio_ValidateIfFieldUpdated                              passed { "name": "behaviors",  "children": [      {      "name": "assetPortfolio_ValidateAddAssetForOthers",      "status": "passed"      },      {      "name": "assetPortfolio_ValidatePlaceHolderText",      "status": "failure"      },      {      "name": "assetPortfolio_ValidateIfFieldUpdated",      "status": "passed"     }   ] }
I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new to splunk Name                                                ... See more...
I have json file with below data, I would like to get name and status and display it in table. Help here is much appreciated. I'm new to splunk Name                                                                                                Status assetPortfolio_ValidateAddAssetForOthers                    passed assetPortfolio_ValidatePLaceHolderText                         failure assetPortfolio_ValidateIfFieldUpdated                              passed { "name": "behaviors",  "children": [      {      "name": "assetPortfolio_ValidateAddAssetForOthers",      "status": "passed"      },      {      "name": "assetPortfolio_ValidatePlaceHolderText",      "status": "failure"      },      {      "name": "assetPortfolio_ValidateIfFieldUpdated",      "status": "passed"     }   ] }
Thanks. Solutions Works
Thanks. This works
Define a new field that contains either eventid or event_id, whichever is present, and group events on that field. index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*) | eval eventID = c... See more...
Define a new field that contains either eventid or event_id, whichever is present, and group events on that field. index=foo (source=foo1 OR source=foo2) (eventid=* OR event_id=*) | eval eventID = coalesce(eventid, event_id) | stats values(*) as * by eventID
Which fields are you trying to match?  What exactly does "verify" mean in this context?
My go-to fix for most issues with MC displaying incorrect info is to go to: MC app > Settings > General setup > Click apply changes. Then refresh and verify.
@bowesmana @ITWhisperer  Can you please guide on it
Im getting the same error now in my SSE app. did you ever figure out how to solve it?
Apparently, the link node needs to be in every condition node.  is there a better way to do this?
We had upgraded to Splunk 9.0.4 on a RHEL7.9 machine. STIG RHEL-07-040000 states the following: Operating system management includes the ability to control the number of users and user sessions tha... See more...
We had upgraded to Splunk 9.0.4 on a RHEL7.9 machine. STIG RHEL-07-040000 states the following: Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. The fix is the following: Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ : * hard maxlogins 10 Will this any way impact Splunk functionality?  Is this ok to make this change and not impact Splunk?
Did a bit of testing on a different box, and correct, you do not need to adjust the "default" web.conf file. I did have to edit the local web.conf as well as the "var/run/splunk/merged" web.conf fil... See more...
Did a bit of testing on a different box, and correct, you do not need to adjust the "default" web.conf file. I did have to edit the local web.conf as well as the "var/run/splunk/merged" web.conf files.  Just Local was not enough.
Hi, I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g., index=blah NOT "*test*" NOT "*exe*" Level=Error | eval AppName = case( (SourceName="Foo... See more...
Hi, I have bar chart powered by a query that uses an eval case pattern to group events into apps.  e.g., index=blah NOT "*test*" NOT "*exe*" Level=Error | eval AppName = case( (SourceName="Foo" AND Message="*Bar*"), "app1", (SourceName="Foo"), "app2", (source="Mtn" AND 'Properties.Service'="Barf"), "app3", (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")), "app4", ) | stats count as ErrorCount by AppName What I'd like to do is have each bar, when clicked, open a new window that shows the events corresponding to the app.  e.g., for the above example, the queries would be: index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo" AND Message="*Bar*") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Foo") index=blah NOT "*test*" NOT "*exe*" Level=Error (source="Mtn" AND 'Properties.Service'="Barf") index=blah NOT "*test*" NOT "*exe*" Level=Error (SourceName="Whatever" AND match(_raw, ".*Service = OtherThing.*")) The problem I am having is how to make the drilldown xml node function thusly.  I thought I could use conditional tokens, but when condition nodes are in the drilldown node, I get an error saying "link cannot be condition", even though the link node is the last sibling of all the condition nodes. Please help! Thanks, Orion
Hello, I have just installed the ML toolkit for Splunk. However I keep getting this error when I attempt to create a fit model: "Error in 'fit' command: (ImportError) DLL load failed while importing ... See more...
Hello, I have just installed the ML toolkit for Splunk. However I keep getting this error when I attempt to create a fit model: "Error in 'fit' command: (ImportError) DLL load failed while importing _arpack: The specified procedure could not be found." I have installed the Python for Scientific Computing Module before this. I've already tried uninstalling and reinstalling, but I keep getting the same error. Any help would be much appreciated!  
Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the bes... See more...
Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the best way to go about this? index="postgresql" sourcetype="postgres" host=FLSM-ZEUS-PSQL-* | table host, node_name, node_id, active, type | where NOT isnull(node_name)   host node_name node_id active type FLSM-ZEUS-PSQL-02 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-02 flsm-zeus-psql-01 1 t primary FLSM-ZEUS-PSQL-01 flsm-zeus-psql-02 2 t standby FLSM-ZEUS-PSQL-01 flsm-zeus-psql-01 1 t primary  
Hi there: I have two events shown below: Event #1 source=foo1 eventid=abcd Event #2 source=foo2 event_id=abcd I am trying to query the above events. The event source is different. One is foo1... See more...
Hi there: I have two events shown below: Event #1 source=foo1 eventid=abcd Event #2 source=foo2 event_id=abcd I am trying to query the above events. The event source is different. One is foo1 and the other foo2. I want to find these events where they are linked with their event_id (from event #1 where source is foo1) and eventid (from event #2 where the source is foo2). Basically the value for eventid and event_id must be the same. Do u know how i can construct the query for this? Thanks!
  splunk 6.1 error and cannot search :   Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting ... See more...
  splunk 6.1 error and cannot search :   Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com....   The search job has failed due to an error. You may be able view the job in the Job Inspector   when i check settings->system->licensing and click "show all messages, there are 5 messages on Nov 3rd, 4th, 7th, 8th, 9th "This pool has exceeded its configured poolsize=21474836480 bytes. A warning has been recorded for all members"   How do we tshoot and resolve this to get search working again? We do not have an active splunk support contract.   Regards, Jason
Hi, is it possible to organize users by functional area for example : Security, IT, NetOps,.... In these areas, each team might monitor specific metrics related to their functional area, or they mig... See more...
Hi, is it possible to organize users by functional area for example : Security, IT, NetOps,.... In these areas, each team might monitor specific metrics related to their functional area, or they might monitor a general set of metrics for the specific systems they manage, or both.
Hi, Splunk Enterprise latest New to splunk. Ingesting from some appliances via Syslog on a UDP port. All is fine for INGESTING logs. Event numbers are actively increasing, however, when I go into "... See more...
Hi, Splunk Enterprise latest New to splunk. Ingesting from some appliances via Syslog on a UDP port. All is fine for INGESTING logs. Event numbers are actively increasing, however, when I go into "Search", it has completely stopped. For example, I have 50k events and a latest update of 10:52. I click on the data source "udp:9006" and the last event shown is from 10:30. Things were working great and in real time up until 10:30, then it just stops completely. Any ideas? Thanks
Wait a minute. Are you ingesting those logs from files??? Because then it would make sense indeed. I suppose everyone involved assumed that as we're talking about ingesting windows events we were tal... See more...
Wait a minute. Are you ingesting those logs from files??? Because then it would make sense indeed. I suppose everyone involved assumed that as we're talking about ingesting windows events we were talking about eventlog input, not monitor one.