All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If should produce the following if the xrq_h_x-corapi-target-id e.g. contains IIDP099999 and this value is not found in the lookup. How do I get the contents of the variable and  not the name of the ... See more...
If should produce the following if the xrq_h_x-corapi-target-id e.g. contains IIDP099999 and this value is not found in the lookup. How do I get the contents of the variable and  not the name of the variable itself?   ProviderId ProviderName IIDP099999 IIDP099999 IIDP06300 My Bank AG
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value... See more...
I have the following Query: index=obh_prod sourcetype=obh:edge:api proxy!="ow*" | lookup blink_six_providers ProviderId as pxrq_h_x-corapi-target-id OUTPUT ProviderId ProviderName | fillnull value=target_id ProviderId ProviderName | dedup ProviderName ProviderId | table ProviderId ProviderName If no values are found ProviderId, ProviderName should both get the value of pxrq_h_x-corapi-target-id. If actually now produces: ProviderId ProviderName pxrq_h_x-corapi-target-id pxrq_h_x-corapi-target-id IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank       If should produce the following if the xrq_h_x-corapi-target-id e.g. contains IIDP099999 and this value is not found in the lookup. How do I get the contents of the variable and  not the name of the variable itself?   ProviderId ProviderName IIDP099999 IIDP099999 IIDP06300 Valiant Bank AG IIDP00761 Aargauische Kantonalbank  
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whene... See more...
I have a dashboard that show/hide panel whenever option/s in checkbox is ticked, which is already working. My problem is whenever I select the option as default value, the panel is still hidden whenever I open the dashboard. Any idea on this? or am I missing something   Heres some part of my xml. <input type="checkbox" token="check"> <label>Category Type</label> <choice value="db_gc_wait">DB GC Waits</choice> <choice value="concurrent_manager">Concurrent Managers</choice> <choice value="blocking_session">Blocking Session</choice> <choice value="longrunning_job">Long Running Jobs</choice> <choice value="crm_top_request">CRM Top Requests</choice> <choice value="workflow_mailer">Workflow Mailer</choice> <change> <condition match="$check$ = &quot;db_gc_wait&quot;"> <set token="show_db_gc_wait">1</set> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> ... <condition match="$check$ = &quot;db_gc_wait concurrent_manager blocking_session longrunning_job crm_top_request workflow_mailer&quot;"> <set token="show_db_gc_wait">1</set> <set token="show_concurrent_manager">1</set> <set token="show_blocking_session">1</set> <set token="show_longrunning_job">1</set> <set token="show_crm_top_request">1</set> <set token="show_workflow_mailer">1</set> </condition> <!-- Unset all tokens --> <condition> <unset token="show_db_gc_wait"></unset> <unset token="show_concurrent_manager"></unset> <unset token="show_blocking_session"></unset> <unset token="show_longrunning_job"></unset> <unset token="show_crm_top_request"></unset> <unset token="show_workflow_mailer"></unset> </condition> </change> ... <row> <panel depends="$show_db_gc_wait$"> <table> <title>Database GC Waits</title> <search> <query> MY QUERY</query> <earliest>$time_tok.earliest$</earliest> <latest>$time_tok.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row>
Thx that worked fine
ok. sorry, But yes I have a combined index/search head, and a separate universal forwarder.  
100% -- this is causing all kinds of FUBAR in our organization. I get a half-dozen sales oriented announcements from Splunk -- but they couldn't be bothered to warn us about something that breaks all... See more...
100% -- this is causing all kinds of FUBAR in our organization. I get a half-dozen sales oriented announcements from Splunk -- but they couldn't be bothered to warn us about something that breaks all the forwarders?
Hi I have a lot of alerts in my Splunk apps Is there a way to count the number of alerts returning result by days, by month... Is it possible ? Thanks 
Hi @ViniciusMariano, I don't think that's possible without JS, also because it isn't useful to have the All choice whwn you have the choice of all checkboxes. Ciao. Giuseppe
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All opt... See more...
Hello folks,  I have a question about multiple checkbox, I'm using them to fill a "IN" command in my search and I have an "All option" and I was thinking if is it possible when I check this "All option"  the others will be unchecked like in this example below: 1:   2: and if possible only using XML (without JavaScript).  
I don't know how to do that.
Use btool   splunk btool --debug props list splunk-logs   It will display all of the props for the sourcetype along with the file name in which the prop is defined. Remember, never change $SPLUN... See more...
Use btool   splunk btool --debug props list splunk-logs   It will display all of the props for the sourcetype along with the file name in which the prop is defined. Remember, never change $SPLUNK_HOME/etc/system/default/props.conf and change $SPLUNK_HOME/etc/apps/*/default/props.conf only if it's your app.  Otherwise, put the change in local/props.conf.
Thank you and that has worked I've noticed we have got duplicates with our data. How can I dedup on PROPOSALNUMBER and PROPOSAL_NUMBER?
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied th... See more...
I have a windows server and it's OS got crashed but i have the splunk database  in the another drive which is fine now the steps I have performed are in the new splunk installation are: 1. Copied the configurations of the previous splunk application from the backup i have in to the new application. 2. Changed the database location and created the database structure in another drive apart from C: drive. 3. Now from the earlier database i copied the indexed data in to the new data base where i have overwritten the already present indexes which are created as per the indexer configuration. 4. Now when i restart the splunk i am getting a "DIRTY_DATABASE File (.dirty_database)" file generated. 5. But i can see the data in the indexes when i ran a search So, the question is whether the procedure i followed is correct or is there any other way to do this Thanks, Your well wisher
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent ca... See more...
I'm struggling to find documents on AppDynamics Saas for ingestion capability in an agentless approach. Basically, I know I have to find a way of monitoring  SAP CPI (in the cloud) and no agent can be installed there. I need a way of calling data from an external source and then gathering it in AppD or directly shipping the data to AppD. Does a feature like this exist and where are they documented? Best regards
Hi @isoutamo,  thanks for your reply.  I have seen the topics you've sent me. Unfortunately I noticed that these can not be applied to my case mainly because the errors are not on a custom Dashboar... See more...
Hi @isoutamo,  thanks for your reply.  I have seen the topics you've sent me. Unfortunately I noticed that these can not be applied to my case mainly because the errors are not on a custom Dashboard but on the Splunk Monitoring Console, so any modifications would be more complicated.  It seems that my problem is strictly correlated to the folder "search_mrsparkle" that contains all the  scripts giving me the error messages. This folder ended up to the path /opt/splunk/quarantined_files/share/splunk/  instead of its original path.  Thanks,   
Hi @blazingblu, I don't think that's relevant and anyway Splunk will upgrade Splunk Cloud soon, so the versions will be aligned. Only for your better tranquillity, open a case to Splunk Support. C... See more...
Hi @blazingblu, I don't think that's relevant and anyway Splunk will upgrade Splunk Cloud soon, so the versions will be aligned. Only for your better tranquillity, open a case to Splunk Support. Ciao. Giuseppe
It just states within the console that it's 'unsupported' when viewing the forwarder status. The same as a forwarder of a much lower version would do, because its not been upgraded...
Hi @AllandNothing , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @AllandNothing, these are Add-Ons, so there isn't any alert or report saved in savedsearch.conf. then I don't understand your second question. Usually Alerts and Reports are in Apps, not in Add... See more...
Hi @AllandNothing, these are Add-Ons, so there isn't any alert or report saved in savedsearch.conf. then I don't understand your second question. Usually Alerts and Reports are in Apps, not in Add-Ons. Ciao. Giuseppe
Hello @gcusello, thanks for your answer, in theory there arent't preconfigured searchs in these two apps? And in that case, why isn't present already wihout saving anything?