All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: cron schedule

by in Splunk Enterprise
‎09-11-2023 06:58 AM
‎09-11-2023 06:58 AM
Hi @av_ ! There's a tool some of us use to provide a gut-check, crontab guru (not affiliated in any way with it - just a user),  which I used on the cron you provided: https://crontab.guru/#*/5_21-... See more...
Hi @av_ ! There's a tool some of us use to provide a gut-check, crontab guru (not affiliated in any way with it - just a user),  which I used on the cron you provided: https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 The tool's assessment, is the cron runs on Sundays. If we breakdown the cron, the last part (0-5) sets the days of the week. So it we try changing that to 1-5, it appears it may work for you. */5 21-23,0-13 * * 1-5 There are other tools out there. There's nothing magical about what I used, but I like it for people who are unfamiliar with cron. Good luck! If this helped you, please provide it a thumbs up.

Re: Scan Behavior

by SplunkTrust in Splunk Search
‎09-11-2023 06:53 AM
‎09-11-2023 06:53 AM
Hi @Dustem, you schedule your search every day (using the last day as time frame) and you save the results in a summary index, one event every day. Then you can schedule a search on the summary ind... See more...
Hi @Dustem, you schedule your search every day (using the last day as time frame) and you save the results in a summary index, one event every day. Then you can schedule a search on the summary index, using three days as time frame. Ciao. Giuseppe

Re: Scan Behavior

by in Splunk Search
‎09-11-2023 06:46 AM
‎09-11-2023 06:46 AM
Hi gcusello, How do I set it to trigger at the same time in three days?

Re: Data is not displayed even though the query previously worked

by SplunkTrust in Getting Data In
‎09-11-2023 06:28 AM
‎09-11-2023 06:28 AM
Please provide the field extraction itself, as defined in props.conf or transforms.conf.

Re: verifying the Splunk on local systems

by SplunkTrust in Knowledge Management
‎09-11-2023 06:27 AM
1 Karma
‎09-11-2023 06:27 AM
1 Karma
Hi @AL3Z, for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host). Then you can run a search like the following:... See more...
Hi @AL3Z, for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host). Then you can run a search like the following: | tstats count WHERE index=_internal BY host | eval host=lower(host) | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 in this way you have the list of UFs not sending logs. If you want a table with all hosts with their status, you could run something like this: | tstats count WHERE index=_internal BY host | eval host=lower(host) | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | eval status=if(total=0,"Missing","Present) Ciao. Giuseppe

Re: how to remove where clause based on search input

by in Dashboards & Visualizations
‎09-11-2023 06:24 AM
1 Karma
‎09-11-2023 06:24 AM
1 Karma
Thank you very much, replaced where with search and that worked like a charm

Re: how to remove where clause based on search input

by SplunkTrust in Dashboards & Visualizations
‎09-11-2023 06:21 AM
‎09-11-2023 06:21 AM
Hi @merc14, probably you're meaning that you could have events without the productType, obviously these events aren't matched by the All (*) value. You could modify the input adding an additiona st... See more...
Hi @merc14, probably you're meaning that you could have events without the productType, obviously these events aren't matched by the All (*) value. You could modify the input adding an additiona static value to search the events without productType. If you could share the input code, I can be more detailed. Ciao. Giuseppe

Re: verifying the Splunk on local systems

by in Knowledge Management
‎09-11-2023 06:13 AM
‎09-11-2023 06:13 AM
For UF,  Can you pls provide with the search to find all the host  contains Forwarder !

Re: how to remove where clause based on search input

by SplunkTrust in Dashboards & Visualizations
‎09-11-2023 06:11 AM
1 Karma
‎09-11-2023 06:11 AM
1 Karma
You can't remove code from SPL based on input.  Nor does SPL allow for conditional execution.  The solution is to set the "All" value of $dropdown$ to a value that is valid for all productType values... See more...
You can't remove code from SPL based on input.  Nor does SPL allow for conditional execution.  The solution is to set the "All" value of $dropdown$ to a value that is valid for all productType values.  Often, this is "*".  It may be necessary to change where to search.

how to remove where clause based on search input

by in Dashboards & Visualizations
‎09-11-2023 06:06 AM
‎09-11-2023 06:06 AM
I have a search query that takes a search value from a drop down.  Example Drop down has values All A B Query uses  | where productType="$dropdown$" How do I remove the where clause if All is... See more...
I have a search query that takes a search value from a drop down.  Example Drop down has values All A B Query uses  | where productType="$dropdown$" How do I remove the where clause if All is selected. There is no productType - All
Labels

Machine Agent unable to register to the Appd SaaS Controller - Connection timed out

by in Splunk AppDynamics
‎09-11-2023 06:01 AM
‎09-11-2023 06:01 AM
Hi Team,  I am trying to install the Machine Agent on a Unix Machine hosted in AWS .  Installation is fine, i can see the Appd Machine Agent service up and running. But it is not getting registered ... See more...
Hi Team,  I am trying to install the Machine Agent on a Unix Machine hosted in AWS .  Installation is fine, i can see the Appd Machine Agent service up and running. But it is not getting registered to the controller .  When i check the logs, it shows up a Timed out error.  Is there anything specific i need to do for AWS Ec2 instances that has machine agents installed there 

Re: Data is not displayed even though the query previously worked

by in Getting Data In
‎09-11-2023 05:56 AM
‎09-11-2023 05:56 AM
Oh wow, I really hadn't thought of that at all. I started the extraction via here and followed the steps shown:   ...    

Re: verifying the Splunk on local systems

by SplunkTrust in Knowledge Management
‎09-11-2023 05:56 AM
‎09-11-2023 05:56 AM
Hi @AL3Z, can you run a script to check the process? Ciao. Giuseppe

Re: verifying the Splunk on local systems

by in Knowledge Management
‎09-11-2023 05:53 AM
‎09-11-2023 05:53 AM
For SE,  Its not possible to access the interface or check if the Splunk process is active for all other machines from my machine.

Re: SPL search

by SplunkTrust in Dashboards & Visualizations
‎09-11-2023 05:29 AM
‎09-11-2023 05:29 AM
Change the time range of the search to start in July 2023.  That may be within the lift_activity_marco_1d macro.

Re: Data is not displayed even though the query previously worked

by SplunkTrust in Getting Data In
‎09-11-2023 05:26 AM
1 Karma
‎09-11-2023 05:26 AM
1 Karma
Please share how the extracted_hostname field is extracted (with more detail than "via the GUI").  It sounds like the extraction makes an assumption that applies only with two-digit dates.

cron schedule: How can we cutomise the cron?

by in Splunk Enterprise
‎09-11-2023 05:25 AM
‎09-11-2023 05:25 AM
My splunk instance is running in GMT and I want to schedule an alert as per China time.  */5 21-23,0-13 * * 0-5 This is the cron. The logic is to trigger the alert every 5minutes from Monday to frid... See more...
My splunk instance is running in GMT and I want to schedule an alert as per China time.  */5 21-23,0-13 * * 0-5 This is the cron. The logic is to trigger the alert every 5minutes from Monday to friday 5AM till 10 PM china Time but the alert is getting triggered on Sunday as well. How can we cutomise the cron?  
Labels

Re: verifying the Splunk on local systems

by SplunkTrust in Knowledge Management
‎09-11-2023 05:23 AM
‎09-11-2023 05:23 AM
Hi @AL3Z, are youskeaking of Splunk Enterprise or Splunk Universal Forwarder? if SE, you can try to access the interface or check if the Splunk process is active. if UF, you can see in Splunk if y... See more...
Hi @AL3Z, are youskeaking of Splunk Enterprise or Splunk Universal Forwarder? if SE, you can try to access the interface or check if the Splunk process is active. if UF, you can see in Splunk if you have internal logs (index=_internal host=<your_host>), or check if the Splunk process is active. Ciao. Giuseppe

How to verify the Splunk on local systems?

by in Knowledge Management
‎09-11-2023 05:20 AM
‎09-11-2023 05:20 AM
Hi, I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProce... See more...
Hi, I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProcessname or a PowerShell script? If so, could you please provide guidance on the process? Thanks

Re: Scan Behavior

by SplunkTrust in Splunk Search
‎09-11-2023 05:19 AM
‎09-11-2023 05:19 AM
Hi @Dustem, you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results. Ciao... See more...
Hi @Dustem, you could save the results of you search in a summary index (using the collect command), then execute the alert on the summary index and trigger it if you have more than 3 results. Ciao. Giuseppe