All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Is this what you mean? | stats dc(username) by type
For Studio, try absolute layout.
If I recall correctly, I had issues with earlier versions of Splunk, however, I am unable to reproduce any errors at the moment. Please share your dashboard source code in a code block </>
Splunk HEC will not accept events on the /event endpoint if they are not valid JSON.  I believe an error will be returned in that case, however.
Here is what I am attempting to do: I am trying to calculate the distinct count of the 'type' of users that are active. In my log files all of my users have a user name that follows this pattern:  ... See more...
Here is what I am attempting to do: I am trying to calculate the distinct count of the 'type' of users that are active. In my log files all of my users have a user name that follows this pattern:  ABCD.aUserName I am trying to calculate how many distinct users there are that are active for each 'type' where in the above example ABCD is the type. First looking for high level approach ideas and want to dig into it myself to see what I can get to work but I just am not able to wrap my noodle around how to even approach it ? I can extract the 'type' and the 'username' but if I have two extracted fields how do I correlate the two to be able to perform a count of dc(usernames) by type ?
What is your question?  We need a lot more information before we can help.  What help do you need?  What is the dashboard expected to do?  Is the data already onboarded with fields extracted?  What ... See more...
What is your question?  We need a lot more information before we can help.  What help do you need?  What is the dashboard expected to do?  Is the data already onboarded with fields extracted?  What have you tried so far and what have been the results?
I have a sample data something like below.      { "Year": { "Top30RequesterInOneYear": { "Bob": 22, "Marry": 12 }, "TotalRequestCountInOneYear": { "9": "K", "10": "C" }, "Top10ActionInOneYear": { ... See more...
I have a sample data something like below.      { "Year": { "Top30RequesterInOneYear": { "Bob": 22, "Marry": 12 }, "TotalRequestCountInOneYear": { "9": "K", "10": "C" }, "Top10ActionInOneYear": { "31": "update table", "33": "Display log" } }, "Month": { "Top30RequsterInOneMonth": { "Foo": 3, "Bob": 6 }, "TotalRequestCountInOneMonth": { "1": "K", "5": "C" }, "Top10ActionInOneMonth": { "10": "Display log", "11": "update table" } }, "Week": { "Top30RequesterInOneWeek": { "Bob": 6 }, "TotalRequestCountInOneWeek": { "15": "C" }, "Top10ActionInOneWeek": { "3": "update table", "7": "display reboot" } } }   The output is expected is as below. Can someone please help me on this. Top30RequesterInOneYear Name | Count Bob 22 Marry 12 TotalRequestCountInOneYear Count | Status 9 K 10 C Top10ActionInOneYear Count | Action 31 update table 33 Display log Top30RequsterInOneMonth Name | Count Foo 3 Bob 6 TotalRequestCountInOneMonth Count | Status 1 K 6 C Top10ActionInOneMonth Count | Action 10 display log 11 update table Top30RequesterInOneWeek Name | Count Bob 6 TotalRequestCountInOneWeek Count | Status 15 C Top10ActionInOneWeek Count | Action 3 update table 7 display reboot
Versus opening a ticket with Cisco, I was hoping to see if the community could point me in the correct direction. I'm not particularly skilled but have tried some of the various options that were sim... See more...
Versus opening a ticket with Cisco, I was hoping to see if the community could point me in the correct direction. I'm not particularly skilled but have tried some of the various options that were similar to my problem but with no luck. Splunk version=8.2.3 OS=RHEL 8 Plugin=Cisco Nexus 9k Add-on for Splunk Enterprise from splunkbase. I can get the plugin to connect using http as the connection method. I'm trying to get the https method to work. I can curl to the switch in question using the cert I generated (openssl req -x509 -newkey rsa:4096 -keyout hostkey.pem -out hostcert.pem -sha256 -days 30 -nodes -subj "/C=US.../CN=host") then imported to the switch. ( curl --verbose --cacert hostcert.pem https://host) So at this point I'm confident that the cert and key are installed correctly on the switch and working as expected. The error I'm receiving (truncated): Caused by SSLError(SSLCertVerificationError [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate My guess is that I need to install the certificate somewhere within the /opt/splunk/etc/auth directory , but I'm not sure. I saw some posts that said add to this file or copy into directory, but I can't find the one that works. Any insight is appreciated. Thanks
We cannot get all data in one single table. Alternatively we had to do it in separate panels. For studio can you suggest sone codes for the panels or cells alignment.
Try creating a search which returns all the data in a single table. Alternatively, you may be able to force the alignment of the panels in Studio
Splunk Enterprise Version:8.2.6 Build:a6fe1ee8894b
The column in the lookup - essentially, if there is no match in the lookup, the output field will be null.
Thank you for your explanation.  I will consider this in my architecture.
Which version of Splunk are you using?
Thank you so much!  Out of curiosity, is the isnotnull(CIDR) referring to the column in the lookup table, or to the matchtype that was set up when creating the lookup definition? 
Thank you for your response. I double checked and all the fields are correctly spelled. A coworker put 'AND' in front of the subsearch, and events are returning. She is using a lookup without the ma... See more...
Thank you for your response. I double checked and all the fields are correctly spelled. A coworker put 'AND' in front of the subsearch, and events are returning. She is using a lookup without the match type being set to CIDR(ip_address), so now I'm more puzzled.  EDIT: Oh yes, I forgot that you said that matchtype doesn't have meaning with inputlookup, so I guess that is why it doesn't matter in this case. Although I'm still puzzled as to why the 'AND' is making a difference.   
@richgalloway   I discovered that sending the log to the raw endpoint works.  However, the log is stripped down to the log body which is what the documentation states (ie. from docs - `send only the ... See more...
@richgalloway   I discovered that sending the log to the raw endpoint works.  However, the log is stripped down to the log body which is what the documentation states (ie. from docs - `send only the log's body`).   export_raw: false endpoint: ".../services/collector/raw" Resulting log (only the log body shows up in Splunk) -    Example log record   I'm still having trouble figuring out why logs aren't coming through the normal event endpoint.  The sample log I'm using is from the otlp log data spec.
Hi Team,   We are using DB Connect 3.14.1 and Splunk enterprise version 9.1.1, we have installed DB connect APP, drivers and when we are configuring the database we are getting the error as databas... See more...
Hi Team,   We are using DB Connect 3.14.1 and Splunk enterprise version 9.1.1, we have installed DB connect APP, drivers and when we are configuring the database we are getting the error as database connection is invalid , Login failed for the user, but using same user name and pw we are able to login to Database directly ... can anyone please suggest the answer for this    
Thank you so much, @ITWhisperer . That did the trick! 
Nailed it! Thanks so much.