All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We have a newer (built within the past 6-months) Webex add-on available here. The older add-on that Splunk offered via Splunkbase leveraged the XML API which is now deprecated. This newer add-on leve... See more...
We have a newer (built within the past 6-months) Webex add-on available here. The older add-on that Splunk offered via Splunkbase leveraged the XML API which is now deprecated. This newer add-on leverages REST. Today, this just includes Meetings but we are set for a new release very soon that will include Calling as well, specifically data from the Get Detailed Call History API.
Support Portal is broke and I am unable to submit a case due to one of the required fields being unable to select (see attached image) "Splunk Support access to your company data: --" I've emaile... See more...
Support Portal is broke and I am unable to submit a case due to one of the required fields being unable to select (see attached image) "Splunk Support access to your company data: --" I've emailed support@splunk.com which was suggested in other community posts, but it has now been 2 months and several chase up emails and still no response from support.
Hi, I want to run a Powershell script on a Windows universal forwarder according to a cron schedule. My input looks similar to this [powershell://Test] script = . "$SplunkHome\etc\apps\test\bin\te... See more...
Hi, I want to run a Powershell script on a Windows universal forwarder according to a cron schedule. My input looks similar to this [powershell://Test] script = . "$SplunkHome\etc\apps\test\bin\test.ps1" schedule = */15 * * * * index = test Besides running every 15 minutes as it should, I noticed that the script also runs every time when Splunk starts. Reading https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf it says: "Regardless of which option you choose, the command or script always runs once when the instance starts." I don't want that. I don't want the script to run when Splunk starts. Is there any way to disable that?
Dear Splunk Community, I’m currently facing an urgent issue in my Splunk environment: my storage utilization has reached 95%, which threatens system continuity and performance. I plan to move older ... See more...
Dear Splunk Community, I’m currently facing an urgent issue in my Splunk environment: my storage utilization has reached 95%, which threatens system continuity and performance. I plan to move older data to external storage before it’s too late, but I haven’t yet implemented a bucket‐policy to automate time-based data retention. I would greatly appreciate your expertise on: Best practices for safely and efficiently migrating old data from my current Splunk indexes to external storage. Recommended scripts or Splunkbase apps that facilitate this process. How to ensure continued access to the migrated data when needed, without impacting search performance. Any additional suggestions, practical examples, or links to detailed documentation. Thank you in advance for your time and assistance. Kind regards,
Hi, I am looking to extract complete Health rule violations in Appdynamics(Servers,Application,EUM and all). Currently I could see only to pull violation from specific application.   Need to under... See more...
Hi, I am looking to extract complete Health rule violations in Appdynamics(Servers,Application,EUM and all). Currently I could see only to pull violation from specific application.   Need to understand how to use the API to pull all the violation for specified time period. If not through API any other method available.   Will there a event generation for each violation and if so where it is stored and viewed.
For Netapp data ontap plugin this is because the tar within the tgz contains hydra and the ontap package.
Deleting code. Due internal policy.
Hi @uagraw01 , could you share the code of your dashboard? Ciaol. Giuseppe
@gcusello @livehybrid I have removed all the inputs. But still option is not in a displaying mode.  
Hi @uagraw01  inputs are the fields that you might have at the top of your dashboard, such as time picker, dropdowns, text input etc. Do you have any of these? If so this is why you won’t have the ... See more...
Hi @uagraw01  inputs are the fields that you might have at the top of your dashboard, such as time picker, dropdowns, text input etc. Do you have any of these? If so this is why you won’t have the option to schedule PDF delivery. 
What do you mean by inputs ? Are asking for input tokens ?
Hi @uagraw01  Does your dashboard include any inputs such as time pickers, dropdowns etc? If so this will prevent the PDF schedule option.   Did this answer help you? If so, please consider: ... See more...
Hi @uagraw01  Does your dashboard include any inputs such as time pickers, dropdowns etc? If so this will prevent the PDF schedule option.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing.
Hi @uagraw01 , it's possible to schedule a pdf containing the form only if in the form there isn't any input. Remove all your inputs and the pdf schedule option will be available. Ciao. Giuseppe
Apart from what's already beem said, you're using the case() function where a simple if() would suffice. case() is good when you want to handle separate disjoint cases and still it's good to have a f... See more...
Apart from what's already beem said, you're using the case() function where a simple if() would suffice. case() is good when you want to handle separate disjoint cases and still it's good to have a fallback case at the end. Since the conditions in case() are evaluated left to right and the first matching case is used, typical use for case is something like that: | eval field=(conditions1, value1, conditions2, value2,... , always_true, fallback_value) Per convention the always_true condition is usually 1=1 (this one is indeed always true). Without that fallback condition you might end up with the field not filled with any value if no conditions match your data. What's important with case() is that the conditions are evaluated from left to right so it can be used to narrow the scope of comparisons if used correctly. For example | eval result=case(x<0,"negative x", y>0, "non-negative x, positive y", 1=1, "non-negative x, non-positive y") As you can see, subsequent conditions do not reference x field at all because the first comparison already handled all negative x-es and there is no chance we'd get to those cases with negative x. But circling back to your search - unless you can have another value not handled by the case() (which you then should add to the conditions), it's sufficient to use a simple if() function. It might be a tiny bit faster since it only handles one simple boolean test and assigns the value based on whether the result is true or false. And you're guaranteed to have a value as a result because the condition can only evaluate to true or false. Whether this value is the correct one is a completely different story
Hi Splunk Community, I would appreciate your guidance regarding enabling Scheduled PDF Delivery in Splunk. Currently, the option does not appear for my Classic (Simple XML) dashboard, and I'm unsure... See more...
Hi Splunk Community, I would appreciate your guidance regarding enabling Scheduled PDF Delivery in Splunk. Currently, the option does not appear for my Classic (Simple XML) dashboard, and I'm unsure how to enable or configure it correctly.
@onthakur  Try something like this. index=xyz (X_App_ID=abc API_NAME=abc_123 NOT externalURL) OR ("xmlResponseMapping") |stats values(accountType) as accountType values(accountSubType) as accountSu... See more...
@onthakur  Try something like this. index=xyz (X_App_ID=abc API_NAME=abc_123 NOT externalURL) OR ("xmlResponseMapping") |stats values(accountType) as accountType values(accountSubType) as accountSubType by X_Correlation_ID   KV 
Hello Friends, I am trying to join the 2 logs with same index using trx_id(here it is called X_Correlation_ID ) but subquery is returning more than 3000K rows hence it is not working. can someone p... See more...
Hello Friends, I am trying to join the 2 logs with same index using trx_id(here it is called X_Correlation_ID ) but subquery is returning more than 3000K rows hence it is not working. can someone please help me with another way to join two logs without using "join" command. index=xyz X_App_ID=abc API_NAME=abc_123 NOT externalURL |rename X_Correlation_ID AS ID |table ID |join ID [search index=xyz "xmlResponseMapping" |rename X_Correlation_ID AS ID |table accountType,accountSubType,ID] |table ID,accountType,accountSubType
thanks for your help. i incorporated the logic to handle "all" and the user prefix.. worked great.
I said this before, it's worth repeating: map is usually not the right tool.  But in this case, it can help.  You can do something like this: | makeresults format=csv data="file lk_file_abc3477.csv ... See more...
I said this before, it's worth repeating: map is usually not the right tool.  But in this case, it can help.  You can do something like this: | makeresults format=csv data="file lk_file_abc3477.csv lk_file_xare000csv lk_file_ppbc34ee.csv" | map search="inputlookup $lookup$ | stats values(duration_time) AS duration_time by path | makemv delim="\n " duration_time | eval duration_time=split(duration_time," ") | stats p90(duration_time) as "90th percentile (sec)" by path | sort path | sendmail someone@example.com"  
You have made a number of errors with your field naming - you are mixing Logs and logs - to Splunk these are different fields, so in your first example you do | eval logs=case(count>0, "1", count=0,... See more...
You have made a number of errors with your field naming - you are mixing Logs and logs - to Splunk these are different fields, so in your first example you do | eval logs=case(count>0, "1", count=0, "2") | eval Status=case(Logs=1, "Green", Logs=2, "Red") where you are testing Logs in the second statement, but set logs in the first and in your latest post you do | fillnull logs which will create a lower case logs field with a value of 0, which you then immediately follow with a fillnull for Logs. So, take care with field names.