All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A dashboard has a time range selector. has a query search like below, the first search will apply the time range selector. but the second search I want to set the earliest is the range selector ear... See more...
A dashboard has a time range selector. has a query search like below, the first search will apply the time range selector. but the second search I want to set the earliest is the range selector earliest -7d@d  Does anyone know how to do this? ex: today: 9/20,  time range selector: 9/14~9/22,I excepted the second search is 9/7~9/22   index="*" host="... | join type=left max=0 uid [search earliest=???  latest=$earliest$ index="*" host="... ] ... Thanks.
Hi All, My file is not reindexing though I used below settings in my inputs configuration file  . File is very small (300 char) and wont change often,  want file to reindex daily .  Kindly help . ... See more...
Hi All, My file is not reindexing though I used below settings in my inputs configuration file  . File is very small (300 char) and wont change often,  want file to reindex daily .  Kindly help . crcSalt = <SOURCE>  initCrcLength = 256
Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed. To change a value of a field, use the eval command to assign a new value. | eval Device_Int... See more...
Fields have a name and values.  They can be renamed.  Values do not have names so they cannot be renamed. To change a value of a field, use the eval command to assign a new value. | eval Device_Interface="x_y_z" To change selected values of a field, use a condition within the eval. | eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface) Putting the field name in the else clause leaves the value unchanged if the condition is not met.  
I developed my first app and am trying to integrate it into CIM using the documentations. so far I Successfuly defined an eventtype in eventtype.conf [my_event_type] search = sourcetype=my_source ... See more...
I developed my first app and am trying to integrate it into CIM using the documentations. so far I Successfuly defined an eventtype in eventtype.conf [my_event_type] search = sourcetype=my_source and when I search for this event type I get all the results: eventtype=my_event_type Now I continue to define tags, using this guide My tags.conf file looks like this: [eventtype=my_event_type] alert = enabled But nothing is returned when I search for: tag=alert Moreover when I search for all types of tags I get only one type "error" and it's count is significantly less then the eventtype amount: sourcetype=my_source | stats count by tag In the guide it says "Once you have tagged an event type, you can search for it in the search bar" but I can't search for the tags. How can I troubleshoot the process? What should I look for? What am I missing? thank you.
Hi @JohnEGones, probably there's a terms misunderstanding: do you want to rename the field name or assign a value to the field based on a condition? if the first case, please, define the old and t... See more...
Hi @JohnEGones, probably there's a terms misunderstanding: do you want to rename the field name or assign a value to the field based on a condition? if the first case, please, define the old and the new name to assign to the field and the conditions. If the second, please define the field to assign the value and the conditions for all the values. Ciao. Giuseppe
Thanks a bunch dhatch, we're back in business!
If the search runs then it counts toward SVC usage.  Hiding a panel does not prevent the search from running. To prevent a search from running in a hidden panel, embed an unset token in the query.
Hi Rich (and Giuseppe), I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification:   <some search> | stats count by Device_Name, Device_Interface... See more...
Hi Rich (and Giuseppe), I appreciate the prompt response, I realized that I messed up what I was asking, so some clarification:   <some search> | stats count by Device_Name, Device_Interface, SomeField | (here I want to rename the field *values* in Device_Interface that match the previous conditions, not rename the fieldname itself.) So here I am renaming the below field value: Device_Interface="xyz" ==> Device_Interface="x_y_z" BEFORE rename (this is a sample line from the stats output): DeviceName, xyz, someValue AFTER rename: DeviceName, x_y_z, someValue    
The rename command can't use conditions, but eval can. <some query> | eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null()) | eval "Thi... See more...
The rename command can't use conditions, but eval can. <some query> | eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null()) | eval "This Other String" = if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY", Value2A, null())  
Hi,   any news on that? I actually had the same problem with 9.0.4. Tried with 9.0.6 and 9.1.1 with no luck. It seems to happen when trying to read "Forwarded Events" events, if limited by inputs t... See more...
Hi,   any news on that? I actually had the same problem with 9.0.4. Tried with 9.0.6 and 9.1.1 with no luck. It seems to happen when trying to read "Forwarded Events" events, if limited by inputs to read "Security Events" works without issues. Regards   Alex
Hello Team,   I have 2 look up data and I want to join them through a common field MonthYear. I need to calculate transmission per dept = Total transmission *(size of dept/total size of dept) I... See more...
Hello Team,   I have 2 look up data and I want to join them through a common field MonthYear. I need to calculate transmission per dept = Total transmission *(size of dept/total size of dept) In lookup1 I need to calculate the propotion of size based on dept eg; Transmission for Eng dept = 119 *((100+23)/ 170) Lookup1: MonthYear  size  org  dept July 2022 100 research Eng July 2022 23 research Eng July 2022 2 data IU July 2022 45 research Lab Total size 170   Lookup2: MonthYear Transmission ID July 2022 60 global July 2022 34 global July 2022 23 Pbg July 2022 2 pcf Total transmission 119   I made a merge of 2 lookup with join using MonthYear but I am able to pass only one token value at a time. I need to get pie chart based on calculated formula for org and sort for top values in dept Code: |inputlookup lookup2.csv |search MonthYear="July 2022" |join MonthYear   [|inputlookup lookup1.csv]  |stats sum(Transmission) as TotalTransmission, sum(size) as Totalsize by MonthYear  |join MonthYear  [|inputlookup lookup1.csv   |search dept="Eng"   |stats values(MonthYear) as MonthYear,sum(size) as DeptMem by dept] |eval "Transmission per dept" = round(("Transmission per dept") * (DeptMem/Totalsize),2) |fields "Transmission per dept"
After trying many possibilities, I eventually ran the reset collections in asset and identity management section. It’s the first time I ever run this task, and it seems it solved the problem complete... See more...
After trying many possibilities, I eventually ran the reset collections in asset and identity management section. It’s the first time I ever run this task, and it seems it solved the problem completely. Is reset collections something that I have to plan to execute periodically or according to some change that I make on the asset lookups?   Are there any side effects in performing this task that I should be aware of?
Hi @Navanitha, what's the sourcetype of your checkpoint data? usually it's renamed and fields extractions are related to the new sourcetypes. This means that you have to install the CheckPoint Add... See more...
Hi @Navanitha, what's the sourcetype of your checkpoint data? usually it's renamed and fields extractions are related to the new sourcetypes. This means that you have to install the CheckPoint Add on, both on SH and HF. In addition, you have to associate to the checkpoint input the sourcetype "cp_log" so the Add-on can correctly modify the sourcetype. Read the instructions on the Checkpoint Add-On, which one are you using? Ciao. Giuseppe
Hi @AL3Z , let me understand: you can check the activity of a Universal Forwarder searching on Splunk if it sends internal logs. If it's down it doesn't send logs, but it's installed: what do you ... See more...
Hi @AL3Z , let me understand: you can check the activity of a Universal Forwarder searching on Splunk if it sends internal logs. If it's down it doesn't send logs, but it's installed: what do you want to check? Then how do you want to merge Splunk data with other data as the one in the first row of your table? It isn't clear for me how do you take data. ciao. Giuseppe  
Hi @JohnEGones, you have to use eval with if or case, something like this: <your_seaRCH> | eval Value2=if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX"),"This String",... See more...
Hi @JohnEGones, you have to use eval with if or case, something like this: <your_seaRCH> | eval Value2=if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX"),"This String",Value2) | eval Value2A=if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY"),"This Other String",Value2A)  Ciao. Giuseppe
I have Splunk SH Cluster ( 3 SH's in Cluster)  and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk.  Now my ... See more...
I have Splunk SH Cluster ( 3 SH's in Cluster)  and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk.  Now my issue is I see the events are extracted as it should when we use an add-on.  However I do not see any Checkpoint app/add-on this is installed on SH's / HF.  No manual field extractions either.  I would like to know if there is any away to check how the fields are extracted ? Secondly, We also have a separate SH running ES.  On this, I don't see the events being extracted as I see it on our SH cluster.  I did try to install Splunk Add-on for Checkpoint to parse the fields and make it CIM compliant but the fields are not extracted.  I changed the sourcetype of the CP logs to match it with the add-on but still no luck.  I am using Splunk Add-on for Check Point Log Exporter.  Appreciate your thoughts on this.
Dear Team, I am an AppDynamics user in my Organization. We have installed the Database agent in our own server and the AppDynamics team installed the AppDynamics Front end in some server I guess. w... See more...
Dear Team, I am an AppDynamics user in my Organization. We have installed the Database agent in our own server and the AppDynamics team installed the AppDynamics Front end in some server I guess. we are able to see the DB Agents and Collectors and data in the AppDynamics, but the issue is we are able to see all the Agents (its Metrics, Policies etc)  of other agents in our Org.  This is inconvenient. 
Do hidden and depends panels count towards SVC usage if not displayed?
Hello, I have installed Splunk ITSI several times on various types of infrastructure, and I am observing this behavior for the first time. The latencies all have zero values as if they are not bein... See more...
Hello, I have installed Splunk ITSI several times on various types of infrastructure, and I am observing this behavior for the first time. The latencies all have zero values as if they are not being reported. I have adjusted the collection interval, but it hasn't made any difference. What I don't understand is that this issue concerns latencies of virtual machines, ESXi servers, and datastores, while all other KPIs are okay. Is it possible that Splunk cannot collect certain values even though others are being collected? Do you have any idea about the root cause of this error?  IT Service Intelligence Version : 4.17.0 Splunk Enterprise Version : 9.0.5
I am noticing that the eStreamer Client Add-On is generating a lot of logs and filling up my Enterprise Server. Is there any way to mitigate this? It looks like the app will write 1000 lines of cod... See more...
I am noticing that the eStreamer Client Add-On is generating a lot of logs and filling up my Enterprise Server. Is there any way to mitigate this? It looks like the app will write 1000 lines of code per file. Is there any way to set an overwrite or scavenge setting so it doesn't just keep filling up the disk infinitely?   root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# du -sh /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ 87G /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk/ root@thall-splunk02:/opt/splunk/etc/apps/TA-eStreamer/bin/encore/data/splunk# ll total 90725612 drwx--x--- 2 root root 151552 Sep 18 02:06 ./ drwx--x--- 3 root root 4096 Sep 13 12:18 ../ -rw------- 1 root root 27279093 Sep 13 12:18 encore.1694621917.log -rw------- 1 root root 28232829 Sep 13 12:18 encore.1694621924.log -rw------- 1 root root 28304921 Sep 13 12:18 encore.1694621930.log -rw------- 1 root root 28368804 Sep 13 12:19 en ...     wc -l encore.1694630328.log 10000 encore.1694630328.log