All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Not really.  You can get a list of use cases with these two queries, but you'll have to add your own filters based on your knowledge of the data.  For instance, some VPN use cases may not contain the... See more...
Not really.  You can get a list of use cases with these two queries, but you'll have to add your own filters based on your knowledge of the data.  For instance, some VPN use cases may not contain the string "vpn". | rest /servicesNS/-/-/saved/searches | rest /servicesNS/-/-/data/ui/views
We will get back to you with more details as the issue is being currently investigated .
Is there any search or shortcut to list out all the VPN usecases in my environment.
Even I am looking for an answer to this question. I tried with sendmail format=html as well but did not work.
Found the solution the HTML styling for the link list input being placed in the fieldset is what caused the  submit button to move down. Moving the styling into a random search panel allowed the subm... See more...
Found the solution the HTML styling for the link list input being placed in the fieldset is what caused the  submit button to move down. Moving the styling into a random search panel allowed the submit button to line back up. <form theme="dark"> <label>Clear Filters</label> <fieldset submitButton="true"> <input type="multiselect" token="Choice"> <label>Choices</label> <choice value="*">All</choice> <choice value="Choice 1">Choice 1</choice> <choice value="Choice 2">Choice 2</choice> <choice value="Choice 3">Choice 3</choice> <default>*</default> <initialValue>*</initialValue> </input> <input type="link" token="Clearer" searchWhenChanged="true" id="list"> <label></label> <choice value="Clear">Clear Filters</choice> <change> <condition value="Clear"> <unset token="form.Choice"></unset> <unset token="form.Clearer"></unset> </condition> </change> </input> </fieldset> <row> <panel> <single> <search> <query>| makeresults | eval Message="Thanks for the help!" | table Message</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </single> <html> <style> #list button{ color: white; background: green; width:100%; width: 130px !important; display: inline-block; } </style> </html> </panel> </row> </form>
That's a question only you and your coworkers can answer.  Review your VPN use cases and the fields they use.  Anything else, in theory, can be eliminated.  Of course, future use cases may need an el... See more...
That's a question only you and your coworkers can answer.  Review your VPN use cases and the fields they use.  Anything else, in theory, can be eliminated.  Of course, future use cases may need an eliminated field so be prepared to add them back some day.
That's a challenge, because machines without a Splunk forwarder installed will not be reporting anything to Splunk.  You would need to have a list of all machines then subtract those that have a forw... See more...
That's a challenge, because machines without a Splunk forwarder installed will not be reporting anything to Splunk.  You would need to have a list of all machines then subtract those that have a forwarder installed (which Splunk can provide) to get the list of machines missing a forwarder.
Apologies, to find host without Splunk Forwarders.
Hi,  Is there any specific fields in the vpn logs we can exclude, which are not needed for investigation so that we can save the license cost ??
That's a difficult sentence to parse.  I hope I understand the request. Instructions for installing Splunk on Linux systems are at https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/Ins... See more...
That's a difficult sentence to parse.  I hope I understand the request. Instructions for installing Splunk on Linux systems are at https://docs.splunk.com/Documentation/Splunk/9.1.1/Installation/InstallonLinux .  You won't find a ready-made script, but the documented steps should be easy enough to automate.  Many customers use software management tools to deploy software on all machines. I don't understand what is meant by "find out the system with out Splunk."
Let's take a step back.  What is the desired output of this query?  Is it to list the file names that are in both the index and the lookup?  Something else? My latest example is *like* what you've a... See more...
Let's take a step back.  What is the desired output of this query?  Is it to list the file names that are in both the index and the lookup?  Something else? My latest example is *like* what you've already done, but is different and should have a different result.  Have you run it?  If so, what is the exact text of the error(s)? Please eliminate the ellipsis in the stats command.  The behavior of the command can change depending on the hidden arguments.
Hi @gcusello  Currently the choices in Data Entity stays as static values ex (Airbag scheduling,Material ,Cost Summary) Based on that values that I select from the Data Entity , I wanted to do comp... See more...
Hi @gcusello  Currently the choices in Data Entity stays as static values ex (Airbag scheduling,Material ,Cost Summary) Based on that values that I select from the Data Entity , I wanted to do comparison of that value  in my eval cmd to set the correct token to use in later queries so that i know that token is belonging to specific option of Data Entity. So how do i transform these Data Entity options based on the value selected in the first dropdown domain. ex., if i select MM in the 1st dropdown , i should get options pertained to MM. if i select Goods in the 1st dropdown , i should get options pertained to Goods. It can be one options or multiple on the data entity </input> <input type="dropdown" token="domainToken">         <label>Data Entity</label>         <choice value=“0-a,1-b,2-b,3-,4-,5-,6-a”>Airbag Scheduling</choice>         <choice value=“0-d,1-e,2-e,3-,4-d,5-d,6-d”>Material</choice>         <choice value=“0-e,1-f,2-f,3-e,4-,5-,6-”>Cost Summary</choice>         <choice value=“0-f,1-e,2-b,3-b,4-md,5-a">All</choice>         <change>           <eval token="domainToken1">mvindex(split($value$,","),2)</eval>           <eval token="objectToken2">mvindex(split($value$,","),1)</eval>           <eval token="objectToken1">mvindex(split($value$,","),0)</eval>           <eval token="outputToken1">mvindex(split($value$,","),3)</eval>           <eval token="outputToken2">mvindex(split($value$,","),4)</eval>           <eval token="outputToken3">mvindex(split($value$,","),5)</eval>                   </change>       </input> search query1:   <query>index=$indexToken$ source IN (“A-B-$objectToken1$", “/A-B-$stage-$objectToken2$”,”/A-B-$domainToken1$")</query> search query2: <query>index=$indexToken$ source IN (“C-$outputToken1$”-D-”, “E-$outputToken2$-F”,”G-$outputToken3$-H”)</query> search query3: <query>index=$indexToken$ source IN (“C-$outputToken1$”-D-”, “E-$outputToken2$-F”,”G-$outputToken3$-H”)</query>
Thank you so much ! it worked. I was clueless what was happening and all this time it was a trailing space character !
H @sanurd1, unfortunately this is not available yet but we are continuing to work on it. You can also check the release notes when new Splunk versions are released to check when it is available. 
@gcusello  I tried below query index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eva... See more...
@gcusello  I tried below query index=abc sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d") | dedup EBNCStatus Day | search column1=* | table EBNCStatus True Day Getting below error Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d")'.
Hi ! We're having similar issue as well, with splunk-winevtlog and splunk-perfmon being the culprits, but Signature P4 is not KERNELBASE but the splunk process itself. It only affects Server 2019. Bu... See more...
Hi ! We're having similar issue as well, with splunk-winevtlog and splunk-perfmon being the culprits, but Signature P4 is not KERNELBASE but the splunk process itself. It only affects Server 2019. Bursts of AppCrash show up every 5 minutes or so. We've tried version 9.0.6 and 9.1.1 We opened a support case, turned on DEBUG logging and sent them diags, etc .. the works .. What we've found was that, clearing the WER folder of AppCrash files C:\ProgramData\Microsoft\Windows\WER ( Settings > Storage > Free Space > Windows Error Report - check delete Files ) .. would cease the issue on that single server .. at least until the issue gets triggered again. Did you get your issue fixed with release version 9.0.6 @PeterBoard  ? Thanks
I need to join the file_name field between subsearch and main search Your example is like what I done but i have an error message like i said in my example I have also tested to put a rex field jus... See more...
I need to join the file_name field between subsearch and main search Your example is like what I done but i have an error message like i said in my example I have also tested to put a rex field just before the stats command, I have no error but also no results even if a common event exists between the main search and the subsearch..... | rex field=NewProcessName "(?<file_name>\w+\w+\.exe)" | stats values(file_name) as file_name....
Hi @Manish_Sharma, if you're speaking of servers using universal forwarder, you can use a search like the following: index=_internal | stats count BY host and check the list with the ones managed ... See more...
Hi @Manish_Sharma, if you're speaking of servers using universal forwarder, you can use a search like the following: index=_internal | stats count BY host and check the list with the ones managed by DS. If you're speking of other hosts without universal forwarder, it's alonger search: index=* | stats count BY host Ciao. Giuseppe
Hi @aditsss, if you don't want the last row with some empty fields, you have to remove empty lines. You can do it knowing the name of the first column (that I don't know) and poning a rule (if the ... See more...
Hi @aditsss, if you don't want the last row with some empty fields, you have to remove empty lines. You can do it knowing the name of the first column (that I don't know) and poning a rule (if the column is called "column1": index="abc" sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" "ReadFileImpl - ebnc event balanced successfully" | eval True=if(searchmatch("ebnc event balanced successfully"),"✔","") | eval EBNCStatus=*"ebnc event balanced successfully",Day=strftime(_time,"%Y-%m-%d") | dedup EBNCStatus Day | search column1=* | table EBNCStatus True Day Ciao. Giuseppe
Hi @love0sxy, if you want to manage deploymentclient.conf by Deployment Server you have to follow the procedure I described in my previous answer because files in $SPLUNK_HOME/etc/system/local folde... See more...
Hi @love0sxy, if you want to manage deploymentclient.conf by Deployment Server you have to follow the procedure I described in my previous answer because files in $SPLUNK_HOME/etc/system/local folder aren't manageable by DS, for this reason the changes aren't effective. Ciao. Giuseppe