All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Your dropdown token, for example <input type="dropdown" token="environment"> <label>Environment</label> <choice value="prod">PROD</choice> <choice value="test">TEST</choice> </input> ... and ... See more...
Your dropdown token, for example <input type="dropdown" token="environment"> <label>Environment</label> <choice value="prod">PROD</choice> <choice value="test">TEST</choice> </input> ... and then the searches just use that token index=AAA_$environment$_index sourcetype IN (abc:edge:api, abc:edge:api) proxy!="ow*" $client_token$ $target_token$ | rex mode=sed field=proxy "s#^(.*?)_(.*)$#*_\2#" | stats count by proxy ---- index=BBB_$environment$_index sourcetype=accesslog tenant=$tenant_token$ | stats count by HTTPStatusCode
What data is the correlation between the same event - please give an example of the data you may see and what you would expect. For example, if you have an event yesterday with  key1=A, key2=B,key3... See more...
What data is the correlation between the same event - please give an example of the data you may see and what you would expect. For example, if you have an event yesterday with  key1=A, key2=B,key3=C and an event today with key1=A, key2=B,key3=D what do you want to show? If you have lots of events with different fields, is there some common object that connects those events to today's events?
What do you expect from 26,26,29 or 26,28,29? Are there always only 3 numbers?
I can't understand this, all other stuff works great, i receive all the information i enabled, i have installed these apps both on forwarders and search heads, all that is missing is the "savedsearch... See more...
I can't understand this, all other stuff works great, i receive all the information i enabled, i have installed these apps both on forwarders and search heads, all that is missing is the "savedsearches.conf". I would appreciate suggestions because for the moment is very important to obtain these searches for me.
I  have events with the following keys: key1, key2 & key3. I would like to get the change events i.e. events that their key1, key2 & key3 values are not in the events of previous day.  What shoul... See more...
I  have events with the following keys: key1, key2 & key3. I would like to get the change events i.e. events that their key1, key2 & key3 values are not in the events of previous day.  What should the query look like?
I have a dropdown with two values PROD and TEST. Based on my selection in my panels in the dashboard I have to choose a different index for my search. How can I do this? Example of two searches: (wh... See more...
I have a dropdown with two values PROD and TEST. Based on my selection in my panels in the dashboard I have to choose a different index for my search. How can I do this? Example of two searches: (which also includes other tokens. These can be ignored. Both searches work if I directly put in the right index 1/  index=<IF PROD then AAA_prod_index else AAA_test_index> sourcetype IN (abc:edge:api, abc:edge:api)  proxy!="ow*" $client_token$ $target_token$ | rex mode=sed field=proxy "s#^(.*?)_(.*)$#*_\2#" | stats count by proxy 2/ index=<IF PROD then BBB_prod_index else BBB_test_index> sourcetype=accesslog  tenant=$tenant_token$ | stats count by HTTPStatusCode
I recently upgraded or rather installed a Splunk UF version 9.1.1 which communicates back to Splunk Cloud but I seem to get an Unsupported error on the console. Is using version 9.1.1. of a forwarder... See more...
I recently upgraded or rather installed a Splunk UF version 9.1.1 which communicates back to Splunk Cloud but I seem to get an Unsupported error on the console. Is using version 9.1.1. of a forwarder not supported with the below Splunk Cloud? Version:9.0.2209.3    Build:ec7eaea0bba6  Experience: Victoria
I see why you are an "Esteemed Legend," Sir! I learned A LOT in this, like, for the first time how using 'stats' can be used to figure things out. For those coming later: index="policyguru_d... See more...
I see why you are an "Esteemed Legend," Sir! I learned A LOT in this, like, for the first time how using 'stats' can be used to figure things out. For those coming later: index="policyguru_data" resourceId="sip*" ("CONNECTED" OR "ENDED") This gets both sets of data I need in one pass. | eval status=if(searchmatch("CONNECTED"),"CONNECTED","ENDED") Then creates a new column (status) that just has "CONNECTED" or "ENDED" in it | stats dc(status) AS status_count. <-- distinct count, so since by guid, if it has both, it'll be 2. If it only has 1, it'll be 1. values(status) AS status  <-- display the values in a field called 'status' (I don't need this but it's nice to see/learn!) values(meta) AS meta  <-- same as above last(timestamp) AS timestamp  <-- capture the most recent timestamp (since there will be two for the matches) BY guid | where status_count=1 AND status="CONNECTED" Then, use 'where' to keep the ones that only have "CONNECTED" (so they do NOT have an ENDED record, which is exactly what I want). Thank you, Legend!  
Hi Friends, I am trying to create a bar chart with trends (as line) for numbers of tickets received for every month. I need to show the data label for only one month in the chart. Please let me know... See more...
Hi Friends, I am trying to create a bar chart with trends (as line) for numbers of tickets received for every month. I need to show the data label for only one month in the chart. Please let me know how we can achieve this.  Currently, it shows the data label for all months but I need to show it for the first month alone. Thanks.
Hi @Phuc.Duong Quang, Thanks for sharing additional information for this issue!
Hi @John.Groetzinger, Thanks for clarifying! You can head on over to the Idea Exchange and do that. Please have a read of the Idea Exchange Submission Guidelines to make sure you submit a complete... See more...
Hi @John.Groetzinger, Thanks for clarifying! You can head on over to the Idea Exchange and do that. Please have a read of the Idea Exchange Submission Guidelines to make sure you submit a complete idea.
We are having same issue, wierd is that it isn't affecting all servers, just one so far, and we are using the exact same installer, all our servers are built the same...     
This is meant to be a feature request as I was told it was not possible to do this. If it is possible to do today that would be great, I don't have admin role on my tenant, the admins told me I neede... See more...
This is meant to be a feature request as I was told it was not possible to do this. If it is possible to do today that would be great, I don't have admin role on my tenant, the admins told me I needed to open an idea/feature request. If this is possible today then I would just like to know how to do it, no one i've talked to seems to think it is possible and hence asked me to open the discussion here.
Hello @John.Groetzinger, I saw a similar post as this was also created that read more like a feature request. Thanks for providing more detail here. Are you looking for workarounds or do you wan... See more...
Hello @John.Groetzinger, I saw a similar post as this was also created that read more like a feature request. Thanks for providing more detail here. Are you looking for workarounds or do you want to submit this as a feature request?
Hi @Jeffrey.Leedy, Thanks for sharing the solution, the community appreciates it!
I will test it again later today and let you know if I then see an error.  I know the library I wanted to bring in splunklib did not exist.
We don't know what's going on, either.  What makes you think it's "erroring out" if there are no errors? You may have to add some debugging code to the script so it tells you more about what is happ... See more...
We don't know what's going on, either.  What makes you think it's "erroring out" if there are no errors? You may have to add some debugging code to the script so it tells you more about what is happening.
Unfortunately it doesn't give me one.  So I'm not positive what's going on.
All the timestamps in the JSON we receive are UTC, but the TA ignores the time zone in the ISO 8601 string, so it defaults to local time. Thus, all our events are timestamped several hours into the f... See more...
All the timestamps in the JSON we receive are UTC, but the TA ignores the time zone in the ISO 8601 string, so it defaults to local time. Thus, all our events are timestamped several hours into the future. I noticed that the timestamps Google provides vary from millisecond to nanosecond precision, but trailing zeros are truncated before the "Z" is tacked on. This makes it difficult to specify a time format with a trailing time zone that will work for every event. But instead, shouldn't all the source types have TZ = UTC in props? Am I the only one with this problem?