All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @PickleRick , Just an update to you. We have identified and resolved an issue related to a time discrepancy in our system, which was caused by the Oracle server's timezone configuration. The... See more...
Hi @PickleRick , Just an update to you. We have identified and resolved an issue related to a time discrepancy in our system, which was caused by the Oracle server's timezone configuration. The server was set to local time instead of UTC, resulting in a 10-hour time difference that affected [specific process, application, or data]. To address this, we have reconfigured the Oracle server to use UTC as the standard timezone, ensuring consistency and alignment with our operational requirements. This change has eliminated the time discrepancy, and all affected processes are now functioning as expected.
i installed splunk in distributed management environment. furthermore, my indexer server got reboot and i can't query my data even though at index = _internal. whereas previously it was fine.
ok so i have a drilldown so in this table there is a field solved which have default value 0 which means this particular severity is not solved . Now i want a button instead of 0 .like this ... See more...
ok so i have a drilldown so in this table there is a field solved which have default value 0 which means this particular severity is not solved . Now i want a button instead of 0 .like this now whenever a severity is being solved then when we click on this button it should change like this and this specific result  its value (solve field ) should be changed to 1. this is JS i am using but it is not working. plus ye script thi jo mai use kar raha hun   require([     'splunkjs/mvc/tableview',     'splunkjs/mvc/searchmanager',     'splunkjs/mvc',     'underscore',     'splunkjs/mvc/simplexml/ready!' ], function(     TableView,     SearchManager,     mvc,     _ ) {     var CustomLinkRenderer = TableView.BaseCellRenderer.extend({         canRender: function(cell) {             return cell.field === 'solved';         },           render: function($td, cell) {             var solved = cell.value;             var rowKey = cell.data.row.rowKey;               var icon = $('<a>')                 .attr("href", "#")                 .attr("title", "Mark as Solved")                 .css({                     "cursor": "pointer",                     "text-align": "center",                     "display": "inline-block",                     "width": "100%"                 });               icon.html('<i class="icon ' + (solved === "1" ? 'icon-check-circle' : 'icon-minus-circle') + '"></i>');               icon.on("click", function(e) {                 e.preventDefault();                   var $icon = $(this).find('i');                   // Only run update if not already solved                 if (solved === "1") {                     return; // Already marked as solved                 }                   $icon.removeClass("icon-minus-circle").addClass("icon-gear");                   var updateSearch = `                     | inputlookup sbc_major.csv                     | eval rowKey=tostring(rowKey)                     | eval match=if(rowKey="${rowKey}", "1", "0")                     | eval solved=if(match="1", "1", solved)                     | fields - match                     | outputlookup sbc_major.csv                 `;                   var updateManager = new SearchManager({                     id: "update-solved-" + _.uniqueId(),                     preview: false,                     cache: false,                     search: updateSearch                 });                   updateManager.on("search:done", function() {                     $icon.removeClass("icon-gear").addClass("icon-check-circle");                 });             });               $td.empty().append(icon);         }     });       var tableElement = mvc.Components.getInstance("sbc_alarm_table");     tableElement.getVisualization(function(tableView) {         tableView.table.addCellRenderer(new CustomLinkRenderer());         tableView.table.render();     }); });        
My url is "http://127.0.0.1:8000" in log4j2 and localhost is running on same port. Whereas the listener is 8081 port. Do all of these have to be same? Am i missing out anywhere?
Hi @daisy_st  The ITEW/ITSI comes with an internal license which is used for the itsi_* sourcetypes, this means it wont count towards any other license you have. To unlock ITEW into ITSI you do nee... See more...
Hi @daisy_st  The ITEW/ITSI comes with an internal license which is used for the itsi_* sourcetypes, this means it wont count towards any other license you have. To unlock ITEW into ITSI you do need a separate license key, however it sounds like this isnt an issue for you. Relating to the 500 error(s) - Is there anything else you can see around this?  * In the browser developer tools window, under Network, can you see the status=500 pages? Is there any response content for those api calls? * In the _internal index have a search for log_level=error "itsi"  and/or look around in the $SPLUNK_HOME/var/log/splunk/*itsi* files to see if that gives any clues - feel free to post any specific error logs here to help us diagnose.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @SN1  Sorry Im not sure I fully understand - what is it you are wanting to implement with JS?
hi all, so I installed IT Essentials Work and am getting error 500. It is also displayed as ITSI under Apps and not as IT Essentials Work. Also, there are 2 licenses available for some reason. I did... See more...
hi all, so I installed IT Essentials Work and am getting error 500. It is also displayed as ITSI under Apps and not as IT Essentials Work. Also, there are 2 licenses available for some reason. I didn't add any. I don't have a license for ITSI, nor want to use ITSI. The app is installed via CLI, following Splunk's guidelines. Any suggestions what the reason could be? there is a dev license used as well so not sure if this has anything to do with the issue. Thanks!  
i want to implement it using JS is it possible?
I can confirm @dural_yyz observation. In our case as well this was not an error just weird logging telling you, connection successful but nothing to read. Try reducing frequency of your query or ig... See more...
I can confirm @dural_yyz observation. In our case as well this was not an error just weird logging telling you, connection successful but nothing to read. Try reducing frequency of your query or ignore this.
No element was found to write: java.lang.ArrayIndexOutOfBoundsException: In our case, this one really was not an error just bad logging telling you nothing to read.  It's possible that you are c... See more...
No element was found to write: java.lang.ArrayIndexOutOfBoundsException: In our case, this one really was not an error just bad logging telling you nothing to read.  It's possible that you are checking messages too frequent or there was nothing at the API endpoint the time you queried.  
Hi @therealjosh  Try something like in the below SPL example, although if you have more info and sample logs or your existing search then this would help us tailor the response further | makeres... See more...
Hi @therealjosh  Try something like in the below SPL example, although if you have more info and sample logs or your existing search then this would help us tailor the response further | makeresults count=14 | eval _time=relative_time(now(), "-" . (ceil(random()%7)) . "d") | eval source=if(random()%2==0, "A", "B") | eval value=round(random()%200) | bin _time span=1d | stats sum(value) as total by source _time | eventstats sum(total) as week_total | eval threshold=(week_total/7)*0.5 | eval color=case(total < threshold, "red", total < threshold*2, "yellow", 1=1, "green")  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @fhatrick  Check the following points to troubleshoot why logs are not appearing in Splunk using the HEC-based SplunkHTTP log4j logging options: Splunk HEC URL and Token Ensure the url in yo... See more...
Hi @fhatrick  Check the following points to troubleshoot why logs are not appearing in Splunk using the HEC-based SplunkHTTP log4j logging options: Splunk HEC URL and Token Ensure the url in your config points to your Splunk HTTP Event Collector (HEC) endpoint, not localhost unless Splunk is running on the same host as MuleSoft. Example: url="https://<splunk-server>:8088" The token value must match exactly the HEC token configured in Splunk. HEC Configuration in Splunk Confirm that HEC is enabled in Splunk (Settings > Data Inputs > HTTP Event Collector). The token is enabled and assigned to the correct index (indexname). Index Existence and Permissions Verify the index (indexname) exists in Splunk and your user has permission to search it. Network Connectivity Ensure the MuleSoft server can reach the Splunk HEC endpoint (no firewall or network issues) - use something like netcat to check this (nc -vz -w1 yourServer 8088) Testing HEC Directly Test HEC by sending a sample event using: curl -k https://<splunk-server>:8088/services/collector/event \ -H "Authorization: Splunk <token>" \ -d '{"event":"test event", "index":"indexname"}' If this event appears in Splunk, the HEC and index are working. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Good day Everyone,  Currently trying to instrument Oracle Forms and Reports for some of the critical applications that are used within my enterprise, The way I'm configuring it is as follows:  ... See more...
Good day Everyone,  Currently trying to instrument Oracle Forms and Reports for some of the critical applications that are used within my enterprise, The way I'm configuring it is as follows:  1. Launch the WebLogic Server 2. Enter the Managed Server (1 for Forms and 1 for Reports) 3. Add -javaagent arguments to the "arguments" section for each of the managed servers and restart the managed servers themself.  What this gives me:  1. I am able to see Forms and Reports discovered as separate tiers within AppDynamics, showing Servelet calls.  2. I am able to see the RCU database which is required for the Weblogic startup that contains Metadata.  What I am missing and trying to achieve:  1. I am missing the connection to the actual transactional database that works with this application. 2. Once the above point is complete, to use data collectors for transaction snapshots to output the User ID and help co-relate exactly which Forms are working slowly or having errors so that this can be resolved by the Application team.  If the community has any information on custom instrumentation that can be done to achieve the two points mentioned above, that would be extremely helpful, insights from previous tries to instrument Oracle Forms and Reports are also welcome and highly appreciated.  Also please feel free to let me know if monitoring the Admin Server itself via Startup Script might be the way forward, to resolve the issues mentioned above, as well as any information or guidance towards monitoring via the OPMN file that was mentioned in another forum which I've been reading on, if anybody has the experience. All AppDynamics Discussions posts - Link to the forum mentioning OPMN.xml file configuration. Thank you for taking the time to read and sharing your thoughts! JVM Instrumentation Agent  
Hi @RSS_STT  It isnt possible to use typical data forwarding from Splunk Cloud to another system.  The only Splunkbase apps I have seen for things like sending to HEC or external systems generally ... See more...
Hi @RSS_STT  It isnt possible to use typical data forwarding from Splunk Cloud to another system.  The only Splunkbase apps I have seen for things like sending to HEC or external systems generally arent supported for Splunk Cloud, therefore the only other option would be to run something that uses the Search API to search the data and send it to the appropriate place. Ultimately this is a very bad idea and not something that is supported or encouraged.  What is your ultimate goal? Is there a reason you arent able to forward the data from source to multiple destinations, or use federated search to query the data from Splunk Cloud from your other instance? The only other route I can think of is using Ingest Actions to send the data to S3 and then using the AWS TA to ingest this using your other Splunk instance.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
I have two separate Splunk cloud instance and want to forward specific set of data from one instance to another. Please suggest the approach or any app/add-on available for this purpose. 
Hi @shoaibalimir  Yes you can achieve this by using a bar chart, you need to separate the different status into series:   Please find dashboard studio example below: { "title": "StatusDas... See more...
Hi @shoaibalimir  Yes you can achieve this by using a bar chart, you need to separate the different status into series:   Please find dashboard studio example below: { "title": "StatusDash", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } } }, "visualizations": { "viz_11HT7uMG": { "dataSources": { "primary": "ds_wtNWwpS3" }, "options": { "dataValuesDisplay": "off", "legendDisplay": "off", "legendTruncation": "ellipsisMiddle", "seriesColorsByField": { "bigissue": "#ff0000", "online": "#008000", "smallissue": "#FFA500" }, "showIndependentYRanges": false, "showOverlayY2Axis": false, "showRoundedY2AxisLabels": false, "showSplitSeries": false, "showY2MajorGridLines": true, "stackMode": "stacked", "xAxisLabelRotation": 0, "xAxisTitleVisibility": "show", "y2AxisAbbreviation": "auto", "y2AxisTitleVisibility": "show", "yAxisAbbreviation": "auto", "yAxisTitleVisibility": "show" }, "type": "splunk.column" } }, "dataSources": { "ds_wtNWwpS3": { "name": "Column chart search", "options": { "query": "| makeresults count=60\n| streamstats count AS minute\n| eval _time = relative_time(now(), \"-1h\") + (minute-1)*60\n| eval success_count=case(\n minute IN (5, 21, 35, 48), 53, \n minute IN (14, 27, 42), 58, \n 1=1, 60\n)\n| eval success_pct = round(success_count/60*100, 1)\n| eval status = case(\n success_pct >= 99, \"online\",\n success_pct >= 95, \"smallissue\",\n success_pct < 95, \"bigissue\"\n)\n| table _time, minute, success_count, success_pct, status\n\n| timechart span=1m latest(success_pct) by status", "queryParameters": { "earliest": "-60m@m", "latest": "now" } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_11HT7uMG", "position": { "h": 250, "w": 1440, "x": 0, "y": 10 }, "type": "block" } ], "type": "absolute" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Cheng2Ready , ok, it's a differenty solution and it's ok. about your search, you have to decide if you want to use the lookup command (as your original solution) or a subsearch using NOT [...],... See more...
Hi @Cheng2Ready , ok, it's a differenty solution and it's ok. about your search, you have to decide if you want to use the lookup command (as your original solution) or a subsearch using NOT [...], as my solution, but not the last solution that you shared. I prefer my solution because it's a best practice to move all the possible search conditions in the main search. Ciao. Giuseppe  
Hi @shoaibalimir , there's a visualization very similar to your one: the Swimline App ( https://splunkbase.splunk.com/app/3708 ). Otherwise, you could create a dashboard containing many panels, one... See more...
Hi @shoaibalimir , there's a visualization very similar to your one: the Swimline App ( https://splunkbase.splunk.com/app/3708 ). Otherwise, you could create a dashboard containing many panels, one for each region, but I'm not sure that it can be dinamic. Ciao. Giuseppe
Then I think definitely it something related to Log4j configuration or on Spark/Java side in which I have 0 experience, so I'm sorry I won't be able to help you, but I hope someone else in the commun... See more...
Then I think definitely it something related to Log4j configuration or on Spark/Java side in which I have 0 experience, so I'm sorry I won't be able to help you, but I hope someone else in the community will be able to help.
Hi all, I'm exploring ways to get a specific visualization on Splunk Dashboard, I have attached the screenshot as reference below: In this, if I hover on the yellow or orange bar, it should giv... See more...
Hi all, I'm exploring ways to get a specific visualization on Splunk Dashboard, I have attached the screenshot as reference below: In this, if I hover on the yellow or orange bar, it should give the SLA Value, and if I click on the arrow, categories, and further drilldown to the services, currently I've a setup in which SLA Value is represented by Gauge Widget Visualization. Please assist me if there's any method to get this kind of visualization. Many Thanks in advance!