All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I am setting up a test instance to be a license master and trying to connect a second splunk install to point to this license master.  All Splunk 9.4.1 Getting the error on the peer "this lic... See more...
Hello, I am setting up a test instance to be a license master and trying to connect a second splunk install to point to this license master.  All Splunk 9.4.1 Getting the error on the peer "this license does not support being a remote master".   I've installed a developer license and it shows 'can be remote', so not sure why I cannot connect a peer to it.  On the LM it lists 4 licenses and the 'dev' one is #2, do I need to change the license group to active the 'dev' license?    
Hi @danielbb  No, you can only use those items in the dropdown. If you try and "Advanced Edit" the alert to use a field you get a validation error: The only other thing you might be able to do ... See more...
Hi @danielbb  No, you can only use those items in the dropdown. If you try and "Advanced Edit" the alert to use a field you get a validation error: The only other thing you might be able to do is manually edit the savedsearches.conf and *try* using a field returned in there, however Your Mileage May Vary. This would also introduce management issues regarding the alert as it might make it impossible to edit in the UI - so whilst Im saying it might be possible, I wouldnt recommend it i'm afraid.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @danielbb , instead a scheduled report, use an alert that fires if results is greater than 0. Ciao. Giuseppe
Hi @danielbb , could you better describe your request? are you speaking of Splunk Enterprise or Enterprise Security? ciao. Giuseppe
Running version 9.3, the log-local.cfg doesn't seem to be applied. Even after a restart, Splunk is throwing >10 of these INFO lines per second. This message should probably be moved to the DEBU... See more...
Running version 9.3, the log-local.cfg doesn't seem to be applied. Even after a restart, Splunk is throwing >10 of these INFO lines per second. This message should probably be moved to the DEBUG category...    It is possible there's another issue with my instances, but this mess of logs is making it very hard to troubleshoot. `splunk set log-level TcpInputProc -level WARN`  does work Modifying log.cfg also works    
We would like to dynamically populate the severity field, is it possible?  
Hi @danielbb  If you want to be able to conditionally run the email alert action then it needs to be an Alert rather than a report. This allows you to only send if the number of results > 0. What a... See more...
Hi @danielbb  If you want to be able to conditionally run the email alert action then it needs to be an Alert rather than a report. This allows you to only send if the number of results > 0. What are the customers reservations about having an alert vs report? They are pretty much the same thing.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Is there a way to avoid sending an empty report? I'm thinking about converting the report to an alert but the customer would like to keep it as a report. 
hi there, did you end up finding a resolution to this?
Have you checked the search log or splunkd.log on the remote search head?
Sorry I thought I replied earlier.  There were no major changes made at that time.  The data flowing inbound had made a drastic change, breaking the parsing expressions at that time. I found initial... See more...
Sorry I thought I replied earlier.  There were no major changes made at that time.  The data flowing inbound had made a drastic change, breaking the parsing expressions at that time. I found initially just using built-in json parsing wasn't working properly, but after massaging the data by dropping some leading characters in the data stream, that worked alot better now.  I don't have the particulars to provide at the moment, but this data is parsable without the need to manually specify regex expressions for each field, or create custom field extractions. Thanks for your message!
An what about the other one... My question is why remote search doesn't work splunk search "index="some remote index on splunk cloud" | head 10" I'm getting the following error: ERROR: Unknown er... See more...
An what about the other one... My question is why remote search doesn't work splunk search "index="some remote index on splunk cloud" | head 10" I'm getting the following error: ERROR: Unknown error for indexer: <splunk cloud>. Search results may be incomplete. If this occurs frequently , check on the peer.  
Hi @krutika_ag  Users are required to have admin_all_objects capabilities and power role to upload pictures/images to Dashboard Studio, which I admin is a bit frustrating for users, as you shouldnt ... See more...
Hi @krutika_ag  Users are required to have admin_all_objects capabilities and power role to upload pictures/images to Dashboard Studio, which I admin is a bit frustrating for users, as you shouldnt be giving this capability out to non-admins! For more info please see https://splunk.my.site.com/customer/s/article/Capability-Required-to-Add-Images-to-Dashboard-Studio  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@michael_vi wrote: I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from... See more...
@michael_vi wrote: I'm trying to run a search via CLI from federated Splunk instance > Splunk cloud. Everything is configured correctly and I have access to all indexes that on Splunk Cloud from Federated Instance  via web interface But when I'm trying to check connection via CLI on Federated Search instance splunk display app -uri https://<splunk cloud uri>:8089 I get this error:  argument uri is not supported by this handler splunk That's because "-uri" is not an option to the display command.  Run splunk help display app to see the full syntax.
Thanks for that bit! this is the rest of what I have come up with: index=index sourcetype=sourcetype log_type=type host=host | stats count | eval Logs=case(count>0, "Green", count=0, "Red") | ev... See more...
Thanks for that bit! this is the rest of what I have come up with: index=index sourcetype=sourcetype log_type=type host=host | stats count | eval Logs=case(count>0, "Green", count=0, "Red") | eval pulse="pulse" | fillnull logs | fillnull value=green Logs | table Logs pulse This will be in a "studio dashboard"  |
@Petermann You have tried to piggy-back your question onto someone else's solved question without a clear indication as to how your question is related. Since this is already marked as solved, it is ... See more...
@Petermann You have tried to piggy-back your question onto someone else's solved question without a clear indication as to how your question is related. Since this is already marked as solved, it is less likely to receive the attention you might wish. You would be better off starting your own question, clearly stating your usecase, providing sample data (anonymised as minimally as possible, of course), showing what your expected output would be, what you have tried, what errors/messages you are getting, and state why this is not what you want.
What is it that you are trying to achieve (because you have tagged timechart and stats for example, but are not doing any stats based on time)?
Hi @ajmach343  You need to perform an aggregation using stats count before you can use the count field in an eval statement. The count field is generated by aggregation commands, not available direc... See more...
Hi @ajmach343  You need to perform an aggregation using stats count before you can use the count field in an eval statement. The count field is generated by aggregation commands, not available directly during the eval processing of individual events. index=index sourcetype=sourcetype log_type=type hostname=host | stats count | eval Status=case(count > 0, "Green", count == 0, "Red") The stats count command counts the number of events matching your initial search criteria for the specified host within the selected time range. The result is a single row containing the count field. Then, the eval command uses the case function to check the value of this count field and assign "Green" or "Red" to the Status field accordingly Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | ... See more...
I am looking to make a "pulse" dashboard for a host on my network, it will pulse green up when up and red when down. so far I have: index=index sourcetype=sourcetype log_type=type hostname=host | eval logs=case(count>0, "1", count=0, "2")  | eval Status=case(Logs=1, "Green", Logs=2, "Red") I believe there is an error in the case line with the count. I have to be missing something.  any insight would be helpful!
That's not exactly right. The httpout uses the same port as "ordinary" HEC input and uses the same token-based authorization but the data is sent using a S2S-over-HTTP protocol. It's not the same as... See more...
That's not exactly right. The httpout uses the same port as "ordinary" HEC input and uses the same token-based authorization but the data is sent using a S2S-over-HTTP protocol. It's not the same as normal /event endpoint uses. So while you indeed can use it in situations when normal "unknown" protocol connectivity is disallowed so that you can leverage HTTP proxy support and such, it's in no way a standard HTTP POST-based data pushing method. So the answer to @sudha_krish is no - you can't use httpout output to send data out to a non-Splunk HTTP server. BTW, there is no "headers" parameter for any Splunk outputs, let alone httpout one.