All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event?  If so, you will need to f... See more...
Do you mean to say that a string like "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true}" is at the beginning of raw event?  If so, you will need to first extract the part with compliant JSON. (It is also a very bad log pattern from your developer.) You can do so with | eval json = replace(_raw, "^{.+}", "") (Actual method will depend on how raw logs are structure, how stable such a structure is, etc.)  Then, apply spath. | eval json = replace(_raw, "^{.+}", "")​ | spath input=json Alternatively, get rid of the spurious part from _raw then spath. | rex mode=sed "s/^{.+}//" | spath Here is an emulation you can play with and compare with real data | makeresults | fields - _time | eval _raw = "{dt.trace_id=837045e132ad49311fde0e1ac6a6c18b, dt.span_id=169aa205dab448fc, dt.trace_sampled=true} { \"correlationId\": \"3-f0d89f31-6c3c-11ee-8502-123c53e78683\", \"message\": \"API Request\", \"tracePoint\": \"START\", \"priority\": \"INFO\", \"category\": \"com.cfl.api.service\", \"elapsed\": 0, \"timestamp\": \"2023-10-16T15:59:09.051Z\", \"content\": { \"clientId\": \"\", \"attributes\": { \"headers\": { \"accept-encoding\": \"gzip,deflate\", \"content-type\": \"application/json\", \"content-length\": \"92\", \"host\": \"hr-fin.svr.com\", \"connection\": \"Keep-Alive\", \"user-agent\": \"Apache-HttpClient/4.5.5 (Java/16.0.2)\" }, \"clientCertificate\": null, \"method\": \"POST\", \"scheme\": \"https\", \"queryParams\": {}, \"requestUri\": \"/cfl-service-api/api/process\", \"queryString\": \"\", \"version\": \"HTTP/1.1\", \"maskedRequestPath\": \"/api/queue/send\", \"listenerPath\": \"/cfl-service-api/api/*\", \"localAddress\": \"/localhost:8082\", \"relativePath\": \"/cfl-service-api/api/process\", \"uriParams\": {}, \"rawRequestUri\": \"/cfl-service-api/api/process\", \"rawRequestPath\": \"/cfl-service-api/api/process\", \"remoteAddress\": \"/123.123.123.123:123\", \"requestPath\": \"/cfl-service-api/api/process\" } }, \"applicationName\": \"cfl-service-api\", \"applicationVersion\": \"6132\", \"environment\": \"dev\", \"threadName\": \"[cfl-service-api].proxy.BLOCKING @78f55ba\" }" ``` data emulation above ```
When you enable indexer clustering on the cluster manager what does the /opt/splunk/etc/system/local/server.conf file look like (don't post it ... there is sensitive stuff there)? Is anything getting... See more...
When you enable indexer clustering on the cluster manager what does the /opt/splunk/etc/system/local/server.conf file look like (don't post it ... there is sensitive stuff there)? Is anything getting port 8000 assigned to it?
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTi... See more...
I have a drill down in dashboard studio panel that returns the start time of some events ($startTime$). I want to use the token as the earliest, and at the same time, I want to use $dd_span$+$startTime$ ($dd_span$ is created from a pulldown menu, it has options of 1d, 1h, 2h, etc). I wanted to use the start time and end time to narrow down a search in another panel. index=main (earliest=$startTime$ latest=$startTime$+$dd_span$) | spath ... does not resolve, is there a way to add the time together?
If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and afte... See more...
If you expand the event details using the chevron next to the event you will see a drop down that says Event Actions. Click that and select "Show Source". This will show you the lines before and after the event.
Is there any optimal way to get context bith before and after fir search result? As in if I search for a term like “Error”, I want to be able to see 10 lines before and after this message.  
I want to enable/disable splunk alerts in splunk cloud, How to disable/enable alerts using rest api spl commands in splunk cloud?
Were you able to resolve this? If so, what approach did you take?
I have to delete app.conf sometimes in deployment-apps then reload deploy-server to reset the state.  
I'm not seeing how the $HIDEME$ token is ever set. Without that being set the whole row will stay hidden as it depends on that token.
Are you saying you want it both stacked and a weekly bar chart overlaying the stack?
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out.   Given this javas... See more...
I'm struggling to effectively use a minor amount of javascript which is intended to facilitate some in-dashboard help pages, and hoping that someone might be able to help me out.   Given this javascript (in <app>/appserver/static/js/help.js): require([ 'jquery', 'splunkjs/mvc/simplexml/ready!' ], function($) { $('#help-btn').on( 'click', function() { $('#help').toggle(); }); $('#help-close').on( 'click', function() { $('#help').toggle(); }); });   And this dashboard which adds a "Dashboard Help" button (next to Edit), the idea would be that simply clicking the button will toggle() the #help id, which is the panel. In "Edit" mode, I can see my overview.html panel as well as the "Dashboard Help" button, and clicking it will perform the correct action. I've used this on live dashboards as well, successfully on some and not so much on others. I imagine there's some sort of timing condition with dynamic loading and whatnot that I'm running into. Can anyone advise? <form version="1.1" script="common_ui_util:/js/help.js"> <label>TEST</label> <row> <panel> <html> <div> <input id="help-btn" type="button" value="Dashboard Help" style="top: -40px;" class="btn default"></input> </div> </html> </panel> </row> <row depends="$HIDEME$"> <panel id="help"> <html> <button id="help-close" class="help-close close close_btn"/> </html> <html src="html_docs/overview.html"></html> </panel> </row> </form>  
Thank you for the response but the suggestion does not resolve the problem. The dashboard needs to be delineated in a stacked format by District with each District showing weekly results over a 4week... See more...
Thank you for the response but the suggestion does not resolve the problem. The dashboard needs to be delineated in a stacked format by District with each District showing weekly results over a 4week period.
Ok. One at a time 1. While the default retention period for an index might be 6 years (I don't remember exactly but that sounds legit) the retention period for _internal index is just 30 days (yo... See more...
Ok. One at a time 1. While the default retention period for an index might be 6 years (I don't remember exactly but that sounds legit) the retention period for _internal index is just 30 days (you can check where it's defined by doing splunk btool list indexes _internal --debug on your indexer) 2. While your environment might not be that long, there might be some events that were for example produced by hosts with badly configured time. Check the actual events to see where they came from. Remember that the timestamps do not have to reflect the time at which the event was ingested. 3. Events are rotated hot->warm->cold->frozen (deleted) as whole buckets. So the bucket gets rolled to frozen if most recent event from that bucket is older than the retention period. 4. While most buckets will contain events from a relatively small time range, there is a special bucket created for each index which catches all "weird" events - older than expected or from the future. Since this bucket may contain events both very old (as is probably your case) as well as from the future it might actualy not get rotated for a long time. 5. Do a dbinspect of your index to see what buckets you have in your index and what time ranges they contain.
In a customer environment, we disabled all the rules from ABAP agent. As you can see in the image below We then stopped the ABAP agent going into status, stop all. And wait 15min to start it a... See more...
In a customer environment, we disabled all the rules from ABAP agent. As you can see in the image below We then stopped the ABAP agent going into status, stop all. And wait 15min to start it again. After restarted and all rules disabled, we're still receiving some BTs in controller. I'd like a help with that, please. Thank you. Luiz Polli
I have very little experience with scripting.
Ok - I understand what you're looking at.  I'm also assuming you're not on Splunk Cloud since I will be referring to filesystem level things. Things like this are set within the indexes.conf configu... See more...
Ok - I understand what you're looking at.  I'm also assuming you're not on Splunk Cloud since I will be referring to filesystem level things. Things like this are set within the indexes.conf configuration file.  If you have your own defined indexes, you might have configured some of these time-to-live settings there.  But, within the Splunk install there is a default set of indexes configured.  For example, the default basic configs are in %SPLUNKHOME%/etc\system\default\indexes.conf DO NOT EDIT THAT FILE. But you can look at it to see where some of the configurations might be coming from for internal Splunk indexes, the default values for stuff like frozenTimePeriodInSecs, etc. When you create your own indexes Splunk creates additional indexes.conf files in various places depending on how you configured things (%SPLUNKHOME%/etc\system\local\indexes.conf  or maybe in %SPLUNKHOME%/etc\apps\some_app_you_created\local\indexes.conf). Even if you tried to override the "default" value for something, it might not be in effect because of the Splunk conf file precedence.
Okay, I'm getting closer.  I get a line chart to show up now.  However, I need 3 different lines representing the 3 different customers and the Number of submissions for each day.  I just need to get... See more...
Okay, I'm getting closer.  I get a line chart to show up now.  However, I need 3 different lines representing the 3 different customers and the Number of submissions for each day.  I just need to get the SPL right.  Thanks for your assistance and patience!!  
It's in the monitoring console Indexes > Indexes and Volumes > Indexes and Volumes: Instance I don't know where the 30 day Frozen Age is coming from.
I figured it out, the search link is saved under the search_link value.
I just checked a Splunk Cloud stack and the only users with the delete option are local.  The SAML users do not have the Edit action, therefore no delete.