All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @gcusello , That's correct I used the GUI data extraction feature to obtain the parameters, and the output(showed above) was applied in my props.conf file
Yes, they are individual field values. 
This isn't the case, all columns are individual fields values. The original log is of the following format: <date_time> <month> <id> A=1 B=0 C=0 ...  
Hi, Are A,B,C,D fields?
hi @Utkc137, if the file name having values A, B and C is "id_cnt", you could use the chart command: <your_search> | chart count OVER month BY id_cnt Ciao. Giuseppe
Greetings,   I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month.  Curren... See more...
Greetings,   I am struggling with creating a table in splunk which would do the following transformation: Find the discrete count of id for A, B, and C where value the is 1, by month.  Currently, I am calculating values for each column individually using eventstats and combining the results. However, we have a lot of columns (a,b,c,d.....) and thus the SLP does not preform efficiently.    Looking for a more efficient approach to this.   Thanks in advance!
Hy @ucorral, did you tried to create the sourcetype by GUI, manually uploading the file usng the Add Data feature? Ciao. Giuseppe  
Hi @PavelP, no there isn't any way to delete it, you can only modify it by GUI, but, why do you want to delete it? Ciao. Giuseppe
Thank you Giuseppe, just voted for your EID-I-72 idea.. Then I'll stay with modifying menu using UI. The problem is there is no way to delete local/data/ui/nav/default.xml using UI. Or there is a w... See more...
Thank you Giuseppe, just voted for your EID-I-72 idea.. Then I'll stay with modifying menu using UI. The problem is there is no way to delete local/data/ui/nav/default.xml using UI. Or there is a workaround?
Hello @drew19, Does `suppression` macro helps? If not, I would suggest creating a custom macro where you can filter based on fields and use the same in all the searches Please accept the solution... See more...
Hello @drew19, Does `suppression` macro helps? If not, I would suggest creating a custom macro where you can filter based on fields and use the same in all the searches Please accept the solution and hit Karma, if this helps!
Hello @ThuLe, There should be input available in the dropdown menu -    Can you please confirm if this is something you are looking for? Please accept the solution and hit Karma, if this helps!
Hello @VK18, If you are using ES, you would be able to see the Retention Period under ES -> Audit -> Data Model Audit -  You can also see the retention period through below search -  | rest /se... See more...
Hello @VK18, If you are using ES, you would be able to see the Retention Period under ES -> Audit -> Data Model Audit -  You can also see the retention period through below search -  | rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval key=replace('title',"tstats:DM_".'eai:acl.app'."_",""),datamodel=replace('summary.id',"DM_".'eai:acl.app'."_","") | rename summary.time_range AS retention | eval retention=retention/(60*60*24) | table datamodel retention Please accept the solution and hit Karma, if this helps!
Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clu... See more...
Hello @almomani, First and foremost, if the new SHC build is not in place - you can build a cluster and include the current SH as a member to replicate the KOs along with KVStore. However, if two clusters are already in place, you will manually need to append values for incident_review_comment_lookup, incident_review_lookup, incident_updates_lookup. You may also want to have events under notable and risk indexes if required. Please let me know if you have any follow-up questions. Also, please test it out on dev/pre-prod before appending values in Production.
Thanks !
Hello @gcusello ,   I've already added to the stanza but still failling
Hi @ucorral, use INDEXED_EXTRACTIONS = csv. You could tray to manually upload your file using the GUI that guides you in the best sourcetype definition. Ciao. Giuseppe
Hello guys!,   I have a month trying to forward my logs from iMacs using the UF with the following format:       Resources,line,data,process 2023-09-30T06:35:02,"Scanned disks....... " 2023-09-... See more...
Hello guys!,   I have a month trying to forward my logs from iMacs using the UF with the following format:       Resources,line,data,process 2023-09-30T06:35:02,"Scanned disks....... " 2023-09-30T06:35:02,User: ...... 2023-09-30T06:35:02,........... 2023-09-30T06:35:02,............ 2023-09-30T06:35:02,Time of completion: ..........       but when the log get into Splunk it only shows the first row:     Resources,line,data,process       and the rest of the log reaches splunk 6 hours later.   I've added the following rule in props.conf but it still failling. path: /Applications/SplunkForwarder/etc/system/local/props.conf        [name_of_my_sourcetype] CHARSET=UTF-8 TIME_FORMAT=%Y-%m-%dT%H:%M:%S, TIME_PREFIX=^ LINE_BREAKER=([\r\n]+) NO_BINARY_CHECK=true SHOULD_LINEMERGE=true TZ=America/Mexico_City disabled=false     Every change I made I always restart the splunk forwarder using ./splunk restart I have no access to the Splunk server (SSH) but if needed I could try to make some configurations but I do not where.        
Hi @felipesodre , when your bucket completely exceed the retention time (also the earliest event in the bucket) or the bucket reaches the maxSize it can be discarded or moved to offline in a differe... See more...
Hi @felipesodre , when your bucket completely exceed the retention time (also the earliest event in the bucket) or the bucket reaches the maxSize it can be discarded or moved to offline in a different folder. As described at https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Indexesconf , it dependa on the parameter coldToFrozenScript that specifies a script to run when data is to leave the splunk index system, in other words, what happens to the bucket after the retention period. If, using a script, you move your Cold Bucket to offline, you can re use them copying them in the Thawed path. Otherwise you can discard them and the entire bucket is deleted. You can find more details in this document https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Setaretirementandarchivingpolicy  Ciao. Giuseppe
Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -7... See more...
Hi @PavelP, I believe that the Splunk app menu configuration page is indecent, for this purpose I made a request on Splunk Ideas that please vote for the idea https://ideas.splunk.com/ideas/EID-I -72 .  In any case, the only way to do it could be a phyton script, but there would always be the problem of rights: do all users have the right to modify the menu of an app? For these reasons, I am sorry, but I believe that your request cannot be satisfied. Ciao. Giuseppe
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/de... See more...
I want to allow user to change/switch the nav bar by clicking a button on the setup page. What is the easiest way to create a setup page (html + js) that changes the app's navigation menu bar (nav/default.xml)? from:       <nav> <view name="summary"/> <collection label="NEW"> <view name="summary_new"/> </collection> </nav>       to:       <nav> <view name="summary_new"/> <collection label="OLD"> <view name="summary"/> </collection> </nav>         Currently the user must use UI to create a custom navigation setting (by creating local/data/ui/nav/default.xml).