All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Shaiju, thank you for your answer. Does this mean that support for version 2022.5.0 will not be actually ended until this issue will be fixed? According to the https://docs.appdynamics.com/ap... See more...
Hi Shaiju, thank you for your answer. Does this mean that support for version 2022.5.0 will not be actually ended until this issue will be fixed? According to the https://docs.appdynamics.com/appd/23.x/latest/en/product-and-release-announcements/maintenance-support-for-software-versions , support for version 2022.5.0 was ended on June 23, 2023.
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could... See more...
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could be the reason for this? Troubleshooting attempts made: 1. Confirming with network team that rules are in place. 2. TCP Dump from the dest (HF), packets received. 3. Telnet from UF to dest (9997), telnet completes. Any other things I missed? tcpdump from the HF HF's splunkd.log
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event?  I have seen the email response action, but that only triggers ... See more...
Is there a way to send a notification automatically to an analyst's email address they are assigned as the owner of a notable event?  I have seen the email response action, but that only triggers when the notable event is created. I have seen the ticketing system apps and that function is not what I am looking for.  If this is not an option currently please think about implementing it as a base feature of ES.
Do you have an example of the rest call you used to create the HEC?  
This is currently being investigated to evaluate the alamofire incompatibility for versions succeeding 2022.5.0.  Recommend  continue using version 2022.5.0 to solve the problem.
Hello,   Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search.   In the example you provided, how would I alert in which the dc h... See more...
Hello,   Thanks for the feedback. I will be more specific next time. I wasn’t aware of the dc (distinct count) option in search.   In the example you provided, how would I alert in which the dc has a count of over 5?   Thank You
I had the same issue after a recent Splunk upgrade, the token height was working then it suddenly didn't. I found that it no longer liked the default condition being blank:               <set to... See more...
I had the same issue after a recent Splunk upgrade, the token height was working then it suddenly didn't. I found that it no longer liked the default condition being blank:               <set token="table1TableHeightCSS"></set>               <set token="table1TableAlertCSS"></set> so i set default to '1' and it worked for me:               <set token="table1TableHeightCSS">1</set>               <set token="table1TableAlertCSS">1</set>
Hello, I need help with increasing the default height of a Dashboard label.  I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this... See more...
Hello, I need help with increasing the default height of a Dashboard label.  I can't figure out how this can be done. Currently, when loading the Dashboard, the label and Description look like this: I can manually increase the Height to look like this:  But, i need it to be defaulted at this Height: If it's not possible, is there a way to add a static text box below the Label?   Here's the Source for the Label I currently have. <label>SiteOne Automated Health Check Clone</label> <description>test Infrastructure - +13 Press 1 for the Batch Processing Team Press 2 for the Security Team Press 3 for the Network Team Press 4 for the VOIP Team Press 5 for the Monitoring Team Press 6 for the Citrix Team Press 7 for the Server Team</description> <row> <panel>   Thanks for any help on this one, Tom  
Use the strptime function to convert the current format into epoch form then use strftime to convert that into the required format.  The two functions can be used in a single eval. | eval timefield=... See more...
Use the strptime function to convert the current format into epoch form then use strftime to convert that into the required format.  The two functions can be used in a single eval. | eval timefield=strftime(strptime(timefield, "%d/%m/%y"), "%Y-%m-%d")  
Hi @Bastiaan, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @dhiraj , you have to use the eval command with the strftime and strptime options, like this: | eval new_date=strftime(strptime(date,"%d/0m/%y"),"%Y-%m-%d") Ciao. Giuseppe
Hello, I tested your suggestion and it worked, but my CSV file does not have /128. Can you answer the following questions?   I appreciate your help 1. a) Should I add /128 on all IPv6 on my CSV ... See more...
Hello, I tested your suggestion and it worked, but my CSV file does not have /128. Can you answer the following questions?   I appreciate your help 1. a) Should I add /128 on all IPv6 on my CSV file to get this to work?     b) If yes, does it mean I need to put extra layer to check which one is IPv6 or IPv4 and then append /128? 2. Will OUPUTNEW work just fine as regular lookup? 3. a) If I update CSV file (with new fields), will the definition lookup still work?     b) Is there a way to automate update on the definition lookup?          I plan on creating automatic update on CSV, but it looks like the definition ties on specific field. 4.  Note that if I use /120, it could return multiple result like the following: expected ip test mask 2 test mask 4 test mask 6 2001:db8:3333:4444:5555:6666::2101    
Have you tried: Business Transaction Discovery Sessions (appdynamics.com)?
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was... See more...
Hi, I have dozens of HTML Dashboards (I know it's deprecated...) running on iPad in our production. The Dashboards are used for user input for data our machine can't deliver themselves (like why was the produced unit bad instead of only that is was bad). Basically there are a few big buttons to choose from and select a error reason for example. If the button is pressed a Splunk search is executed with a collect command and the selected data is written into a summary index.  This works most of the time but not always. I assume in 10-20% of searches, the search could not be finished because of network connection error. This also happens at logging in into Splunk sometimes, an error "no network connection " occurs.  Our network guys didn't find any issues on their side.  And the other interesting part is, it only happens on iPads/iOS. On Windows machines it never happens!   Does anybody came across the same issues or something similar?    Thanks!
Hi , In splunk query I need to convert date format as below . Current format - 07/09/23 Required Format : 2023-09-07
Many thanks, I will get to it!
Hi @Bastiaan, as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk. Anyway, if you have only to search some strings, you can put them in the main search usi... See more...
Hi @Bastiaan, as I said, follow the Splunk Search Tutorial and you'll quickly learn how to search on Splunk. Anyway, if you have only to search some strings, you can put them in the main search using the boolean operator to correlate them, remembering that the AND operator is by default. So if you want to find all events containing the strings you define, you could try to run: index=your_index host=your_host ("CONFIG, commit* but not Succeeded" OR "snmpd.log") | table _time host TS_Agent Then you can add the time conditions, but, as I said, follow the Search Tutotial. At least, don't use the "-" char in field names because Splunk uses it as subtraction operator, use underscore "_". Ciao. Giuseppe
I see I have a lot to learn. The essence is: I want to get three things from the log of host "hostname". First, "CONFIG, commit* but not Succeeded", I also want "snmpd.log" messages and I want to ge... See more...
I see I have a lot to learn. The essence is: I want to get three things from the log of host "hostname". First, "CONFIG, commit* but not Succeeded", I also want "snmpd.log" messages and I want to get "TS-Agent" from the logging. But from the last one I'm not interested in what happens between 01:00 and 05:00 since they give errors during that time frame that I don't care about. The other two filter/searches I want to get 24/7 messages from.
I have indexes created and i have 2 csv first is ipv6.csv and its has coulmn called ip and second csv is cmd.csv it contain critical_command coulmn. example : ipv6.csv ip 11.11.11.11 2.2.2.2 ... See more...
I have indexes created and i have 2 csv first is ipv6.csv and its has coulmn called ip and second csv is cmd.csv it contain critical_command coulmn. example : ipv6.csv ip 11.11.11.11 2.2.2.2 cmd.csv critical_command restart shutdown now i want to search ip 11.11.11.11 and critical_command restart or ip 2.2.2.2 and restart in certain index. how i will write the
Hi, In the splunk 9.1.x version and above,  we are noticing that the moment.js is missing in the following location, /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js Due to ... See more...
Hi, In the splunk 9.1.x version and above,  we are noticing that the moment.js is missing in the following location, /opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js Due to this our custom app functionalities are not working and we are getting error as attached, Please let us know if this is a known issues and any resolutions for this. In spite of  placing the moment.js in our app folder we still notice the app is trying to use the default moment js in this location "/opt/splunk/share/splunk/search_mrsparkle/exposed/js/contrib/moment.js"  We have also tried other solution from the community by  placing  var moment = require('moment'); but still its returning error.  Can you please provide any possible  solution to resolve this issue.