All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have same issue, please help.
Without knowing what your events look like, it is difficult to say whether this is right or not. For example, do CPUPercentage and MemoryPercentage appear in the same event? Having said that "stats ... See more...
Without knowing what your events look like, it is difficult to say whether this is right or not. For example, do CPUPercentage and MemoryPercentage appear in the same event? Having said that "stats count by metricCount" is almost certainly wrong as all you will be left with a single field called count so the where command will always be false. Also, you title suggests an AND condition but your where command is using an OR condition. This is a bit confusing. Please clarify what you are trying to do and include some (anonymised) representative sample event, preferably unformatted in a code block </>
Hi,   most of the splunk forwarder installed on servers are on NT Authority and will like to change this to local admin. I have tried modifying the ansible roles to fix the this but havent been succ... See more...
Hi,   most of the splunk forwarder installed on servers are on NT Authority and will like to change this to local admin. I have tried modifying the ansible roles to fix the this but havent been successful any ideas on what can be done will be appreciated. 
Hi Everyone, Hope everyone is alright.  I have the below base search. I am trying to built an alert index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName=MemoryPercentage OR me... See more...
Hi Everyone, Hope everyone is alright.  I have the below base search. I am trying to built an alert index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName=MemoryPercentage OR metricName=CpuPercentage This is the below condition which I have to follow-  CPUPercentage > 85 MemoryPercentage > 85, where CPUPercentage and MemoryPercentage are values of a field called metricName. I am doing like this - index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" | eval metricCount=if((metricName="MemoryPercentage" OR metricName="CpuPercentage"),1,0) | stats count by metricCount | where MemoryPercentage > 85 OR CpuPercentage > 85 not sure if this is correct way to do. Could anyone pls suggest a better way. Thanks in advance
 I haven't worked with this particular addon but normally if you would like to exclude events from indexing you'd create a section in the transforms.conf   [choose_a_unique_name] REGEX = regex_that... See more...
 I haven't worked with this particular addon but normally if you would like to exclude events from indexing you'd create a section in the transforms.conf   [choose_a_unique_name] REGEX = regex_that_matches_events_that_you_want_to_exclude DEST_KEY = queue FORMAT = nullQueue   and then add it to you the sourcetype/source/host in the props.conf.   [sourcetype_name] TRANSFORMS-unique_name = name_from_the_transforms.conf   Since this is an addon not developed by you these changes should be done in local. Eventtypes are used on data that is already indexed in Splunk. This is why you cant use them to stop certain data from getting indexed into Splunk since they are calculated at search time.
Hi @Bisho-Fouad , if you're using a wrong password, you have a different message. I suppose that there's something strange in your installation. In generai I'd hint to reinstall the system, but th... See more...
Hi @Bisho-Fouad , if you're using a wrong password, you have a different message. I suppose that there's something strange in your installation. In generai I'd hint to reinstall the system, but the ya re Cluster Manager an Deployment Server, so it isn't possible! Open a case to Splunk Support, it's the best solution! Ciao. Giuseppe
Could this help maybe? https://community.splunk.com/t5/Splunk-Search/Why-are-large-Splunk-searches-causing-quot-Request-URI-too-long/m-p/437368
Try something like this index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source=... See more...
Try something like this index="dockerlogs-silver" source="*gps-external-processor-prod*" "Handle 500 Server error" OR "Handle 4xx error" | where traceID IN ([search index="dockerlogs-silver" source="*gps-external-processor-prod*" "00012342231515417786" | stats count by traceID | eval search="\"".traceID."\"" | stats values(search) as search | eval search = mvjoin(search,",")])
Hi community,   I have installed Splunk Add on for Salesforce on Heavy Forwarder and have been collecting data from Salesforce Object and Event Log. I've noticed that sfdc:logfile is huge and I do... See more...
Hi community,   I have installed Splunk Add on for Salesforce on Heavy Forwarder and have been collecting data from Salesforce Object and Event Log. I've noticed that sfdc:logfile is huge and I don't need all the records but from UI there is no why to filter out the collection. Is there a way where we can filter out the EVENT_TYPE? I need only events with EVENT_TYPE="LightningPageView" Any help is appreciated.   Thank you Marta
Hi @gcusello  1- Did you tried using this admin account ? yes I tired, and that the account which face the issue Also its the only user I have in the system  any other recommendations ?
If you want to see only data that is before the 30th the following line does not make sense:   | eval timeline2=relative_time(timeline1,"-1w@w1")   The data is correct but since you reduce the ti... See more...
If you want to see only data that is before the 30th the following line does not make sense:   | eval timeline2=relative_time(timeline1,"-1w@w1")   The data is correct but since you reduce the timeline date by 1 week it shows 23rd October instead of 30th..  Its purely visual though. The data does not change because of this command since you are not filtering against the time of the events after the change. Just remove this line and the data should be correct Additionally I'd suggest using the same time conversion. Converting weeks with %V starts at count 1 while doing it with %U starts at 0. You are using both in the same Query.   | eval lastmodifiedWeek=strftime(epoc_last_modified,"%Y-%U") |eval timeline="30-Oct-23" | eval timeline_date=strptime(timeline,"%d-%b-%y") |eval new_timeline=strftime(timeline_date,"%Y-%U") |where lastmodifiedWeek<=new_timeline | stats count by Lookup lastmodifiedWeek | eval timeline1 = strptime(lastmodifiedWeek." 1", "%Y-%U %w") | eval timeline = strftime(timeline1, "%Y-%m-%d") | table timeline , Lookup count |chart values(count) as count over timeline by Lookup |fillnull value=0 |tail 4 |reverse   If I missundestood you and you want the data that comes after the 30th then you'd additionally have to change the "where" line to the following:   |where lastmodifiedWeek>=new_timeline  
Your where command is excluding events which are earlier than 30-Oct-23, which is why you are seeing no data from then.
when I run your search I got too many results , with rare I got only 10 results. there is no options to use rare and add more fields to the table?
Looking at your data, it appears that the rex would give you multi-valued fields, which you can't then do arithmetic on. Please explain what it is you are trying to actually do.
Hi @Bisho-Fouad , every Splunk system can have two kinds of users: local users: manually created on the system, users from the external authentication system: they depends on the Auth system. A... See more...
Hi @Bisho-Fouad , every Splunk system can have two kinds of users: local users: manually created on the system, users from the external authentication system: they depends on the Auth system. At least, every Splunk system has a local users usually called "admin", that's created at the installation moment. Did you tried using this admin account? It seems that in this system you have only the admin user and not other ones. Ciao. Giuseppe
I'm glad I was able to help! 
Hi Again @gcusello  1- which kind of troubles ? please check the attach 2- Have you your login page ? Yes, its appears normal 3- is your account a local or LDAP account? sorry but can you guide... See more...
Hi Again @gcusello  1- which kind of troubles ? please check the attach 2- Have you your login page ? Yes, its appears normal 3- is your account a local or LDAP account? sorry but can you guide me what is the difference as new user in Splunk thanks for your time
@gcusello  Same issue am facing as i had checked above solution worked on that it is working fine ,Till September  received(email notification ) the report for the alert triggered but it is stoppe... See more...
@gcusello  Same issue am facing as i had checked above solution worked on that it is working fine ,Till September  received(email notification ) the report for the alert triggered but it is stopped from October.  what could be the issue ??
Hi @Bisho-Fouad , which kind of troubles? Have you your login page? is your account a local or LDAP account? If local, you have only to remember the password, if LDAP, check the integration enter... See more...
Hi @Bisho-Fouad , which kind of troubles? Have you your login page? is your account a local or LDAP account? If local, you have only to remember the password, if LDAP, check the integration entering with a ocal account. Ciao. Giuseppe
Hi JohnEGones. I already have admin user, and is used it to login many times before, but I'm having trouble logging in with my admin account, even though I've added it to the cluster master twice an... See more...
Hi JohnEGones. I already have admin user, and is used it to login many times before, but I'm having trouble logging in with my admin account, even though I've added it to the cluster master twice and verified it with CLI commands. any recommendations ?