All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Pikta, you need an eval - case command, something like this: <your_search> | eval OS=case( like('operating-system',"Microsoft Windows Server%"), "Windows Server", like('operating-system',... See more...
Hi @Pikta, you need an eval - case command, something like this: <your_search> | eval OS=case( like('operating-system',"Microsoft Windows Server%"), "Windows Server", like('operating-system',"Microsoft Windows%"), "Windows OS", 'operating-system'="Linux", "Linux", 'operating-system'="CentOS", "Linux", 'operating-system'="Ubuntu", "Linux") obviously, you can enlarge the command also with other options. Next time, if possible, don't use "-" (or spaces) in field names, use underscore (_) because Splunk uses "-" as an operator, so you have to use quotes in the field name. Ciao. Giuseppe
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to ren... See more...
Hello, I have a table view. In this table view is a column named operating-system. I want to create a new column OS where I want to rename OS example all Microsoft windows server version just to rename to windows server, all linux versions and distributions to linux and so on for example: operating-system                                    |    OS Microsoft Windows 10                          | Windows OS Microsoft Windows 8                             | Windows OS Linux                                                              | Linux Microsoft Windows Server 2019       | Windows Server Microsoft Windows Server 2012       | Windows Server CentOS                                                         | Linux Ubuntu                                                          | Linux Microsoft Windows Server 2016      | Windows Server
How to detect fail password on Splunk?
Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but al... See more...
Hi, I have a Splunk Enterprise installation composed of 3 clustered indexers. I need to forward all the events received on the 9997 port to an external system. Data must be indexed locally but also sent to this external system. I can't do this operation directly from universal forwarders because of network restrictions. Is there a way to achieve this goal on indexers side?
It is not clear why span=7d is not working for you. Please can you provide example events which demonstrate the issue (anonymised of course)?
That worked perfect! I also used the 5 min scheduled search as suggested using a cron schedule. Thank you @gcusello you sir are indeed a legend!
As I mentioned that timeout is for rest.simpleRequest() and not for the custom rest endpoint you might have in your App.   For setting that parameter for your custom Rest Handler, you can set it un... See more...
As I mentioned that timeout is for rest.simpleRequest() and not for the custom rest endpoint you might have in your App.   For setting that parameter for your custom Rest Handler, you can set it under web.conf under your Rest handler's stanza, you can add that parameter. splunkdConnectionTimeout = 120 (For reference - https://community.splunk.com/t5/Splunk-Search/How-do-I-change-the-REST-API-execution-timeout/m-p/295689)   I hope this helps!!! Kindly upvote if it does!!!
Found the issue. It's a mismatch when using a browser with a dark theme. Until they fix it, you'll need to use a light themed browser unfortunately.
Thank you so much. Finally I have my intended dashboard ready. Many thanks for your help
Would love to add a trend line for the amount of cores. So its easier to see if its trending up or down (And maybe even a forecast?)
Yes,  the solution works, thanks @gcusello !
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems work... See more...
Hello Everyone, I have setup a SPLUNK OTEL COLLECTOR sidecar container along with my application container in AWS ECS Fargate to send APM traces to Splunk Observability Cloud. Everything seems working but I was trying to add some container health check to see if my sidecar container is healthy or not, I have added a basic script that should always pass the checks. I have tried running script/command after login in to a container and they are working perfectly fine but When I configure them as Part of my healthcheck they are failing.  Image: quay.io/signalfx/splunk-otel-collector:latest Command using for healthcheck:  "/usr/lib/splunk-otel-collector/agent-bundle/bin/curl -f http://localhost:13133 || exit 1"   Has anyone faced this issue before, please help.   Thanks
Hi @michaelnorup, sorry I forgot the main question: which trend do you want to display? In other words, with the previous search you have the used number of cores, what do you want to add to the gr... See more...
Hi @michaelnorup, sorry I forgot the main question: which trend do you want to display? In other words, with the previous search you have the used number of cores, what do you want to add to the graph? Ciao. Giuseppe
Hi @beepbop, let me understand, you want to create a new field, where id the year of "Warranty_End_Date" is 2026, you want to put 2026, otherwise "NA", is it correct? if this is your requirement, y... See more...
Hi @beepbop, let me understand, you want to create a new field, where id the year of "Warranty_End_Date" is 2026, you want to put 2026, otherwise "NA", is it correct? if this is your requirement, you could try something like this: | eval WarEnd=if(strftime(strptime("Warranty_End_Date","%d/%m/%Y"),"%Y")= "2026", "2026", "NA") Ciao. Giuseppe
Hi  This is the loadjob: | savedsearch "Server - XXXXXX" | fillnull value=- | search SerialNumber!=VMware* | eval ServerName = host | eval ServerName = upper(ServerName) | eval Virtual="N/A" | eval... See more...
Hi  This is the loadjob: | savedsearch "Server - XXXXXX" | fillnull value=- | search SerialNumber!=VMware* | eval ServerName = host | eval ServerName = upper(ServerName) | eval Virtual="N/A" | eval PowerState="PoweredOn" | append [| savedsearch "Server - Vmware info" | eval CPU_Arch = "x86_64" | eval Cores = CpuCount | eval DiskGB = ProvisionedSpaceGB | eval Virtual="VMware"] | table _time Date Customer ServerName Cores MemoryGB DiskGB CPU_Arch PowerState Virtual Landscape SID System Instance | fillnull value=- | eval Date=strftime(_time, "%x") | dedup ServerName,Date Can you use that? ^^ Thanks
Hi @VatsalJagani, Yes, that is what I want to set. If you look into `$ SPLUNK_HOME /lib /python3.7 /site-packages /splunk /rest /__ init__. py’, line number 52, you will find a parameter 'splunkdCon... See more...
Hi @VatsalJagani, Yes, that is what I want to set. If you look into `$ SPLUNK_HOME /lib /python3.7 /site-packages /splunk /rest /__ init__. py’, line number 52, you will find a parameter 'splunkdConnectionTimeout' I believe if somehow I can set this parameter from outside, I will be able to increase the timeout. Upon going through documentation, I found out 'web.conf' might be a way to do that. https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Webconf in this documentation, you will find the 'splunkdConnectionTimeout' parameter. But I am unable to figure out that how to use this config file through app. Basically I need to set this varibale timeout through my app only, there should be no external effort. If there is any other way to do it, I am open to that also.
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1... See more...
Hi, I have a data with the following dates under the field "Warranty_End_Date" Warranty_End_Date Manufacturer 4/1/2026 Lenovo 4/8/2026 Lenovo 1/9/2026 Acer 4/1/2025 Apple 19/7/2023 Acer 4/1/2026 Acer 4/4/2026 HP 8/1/2028 Lenovo 10/1/2022 Lenovo 4/1/2026 Apple 4/1/2026 Apple 4/1/2026 Lenovo 4/1/2026 Lenovo 4/1/2026 Lenovo 4/3/2026 Lenovo 4/3/2026 Lenovo I want to create a new field with the similar values wrt Warranty_End_Date Tried the command eval WarEnd = case("Warranty_End_Date" = "*2026", "2026", 1=1, "NA") and similarly for other years but got no proper output
Hi @michaelnorup, about the trendline, if you havedata to create the trendline in the results of the loadjob , you could elaborate them. I cannot see tem because, after a timechart you don't have o... See more...
Hi @michaelnorup, about the trendline, if you havedata to create the trendline in the results of the loadjob , you could elaborate them. I cannot see tem because, after a timechart you don't have other fields, see, removing the timeachart, which fields you have, so you could modify your search. If you would help, please share your search in text mode (using the Insert/Edit Code Sample button), not as a screenshot, eventually with a masked part, to avoid to re-write all the search. Ciao. Giuseppe
Hi @Hemnaath, as I said, it's a Splunk Supported App, so you can open a ticket to Splunk Support. Ciao. Giuseppe
Hi Giuseppe. Thanks makes sense, thanks alot. Do you have any idea about the trendline then?