I'm having trouble getting my duration into the format I'd prefer... I'd like to see the duration to be MM:SS. However, despite a few different approaches, I keep getting milliseconds.
Check KV Store Status Open Command Prompt as Administrator. Navigate to your Splunk bin directory: cd C:\Program Files\Splunk\bin Run the following command to check KV Store status: spl...
See more...
Check KV Store Status Open Command Prompt as Administrator. Navigate to your Splunk bin directory: cd C:\Program Files\Splunk\bin Run the following command to check KV Store status: splunk show kvstore-status If the KV Store is running, you will see a status message indicating it is ready. Let us know what this shows. Also - I assume you've already tried restarting Splunk? I see you've posted errors from splunkd.log - are there any other logs relating to mongo/KV Store, or anything in mongod.log? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @simon_b , sorry for the late reply but hopefully this helps others that have the same question. Can you try using the exact token name in the Set tokens interaction without appending "form." ?
Are you recommending enableOldS2SProtocol=true? Are you implementing enableOldS2SProtocol=true? If yes, read below. Splunk has dropped support for oldest S2S version. However added enableOldS2S...
See more...
Are you recommending enableOldS2SProtocol=true? Are you implementing enableOldS2SProtocol=true? If yes, read below. Splunk has dropped support for oldest S2S version. However added enableOldS2SProtocol config to allow forwarder use oldest protocol. With enableOldS2SProtocol=true, forwarder is allowed to use oldest protocol (protocol level 0). First ever protocol. You are essentially using almost 20 years old protocol. With enableOldS2SProtocol=false, forwarder is allowed to use minimum protocol level 1 with negotiateProtocolLevel config. If negotiateProtocolLevel is not set( by default not set), then forwarder and receiver will be negotiating latest common protocol supported by forwarder and receiver. If you are on Splunk 9.2.x receiver and forwarder is 9.0.x and above, then protocol 6 is being used. When protocol negotiation happens between fwd and receiver, if the receiver says protocol 0, fwd does not accept that and still use minimum supported protocol 1 unless enableOldS2SProtocol=true is set on fwd. Suggesting enableOldS2SProtocol=true on fwd means receiver is only capable of protocol 0 and forcing fwd to use protocol 0. Suggesting enableOldS2SProtocol=true and negotiateProtocolLevel=0 on fwd means fwd is forced to use protocol 0 regardless of receiver's protocol level. Protocol levels. 0: Maximum network traffic over S2S connection. 1: Network traffic optimization over S2S connection. 2: Additional network traffic optimization over S2S connection. 3: Metric support. 4: Ack support for rawless metric events. 5: Flag potential dup events. 6: Flag for cloned metric events so that cloned events exempted from license usage. 7: SSL certificate requests Make an informed decision.
Hi @RinaB It looks like the app hasnt been updated for over a year, so its possible that it was previously cloud compatible but has lost the status due to not being updated. The support contact fo...
See more...
Hi @RinaB It looks like the app hasnt been updated for over a year, so its possible that it was previously cloud compatible but has lost the status due to not being updated. The support contact for the app is kustoossidc@microsoft.com so it might be worth emailing that address to see if they can update the app to be Splunk Cloud compatible, as it could be as simple as them rebuilding it with the latest libraries Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @secure You could use rex to get the first part of the hostname like this: |makeresults
| eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net"
| append [| makeresults | eval listA="xyz2"...
See more...
Hi @secure You could use rex to get the first part of the hostname like this: |makeresults
| eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net"
| append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"]
| append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"]
| append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"]
| fields - _time
| rex field=listA "(?<hostA>[^\.]+)"
| rex field=listB "(?<hostB>[^\.]+)"
| eval matching=if(hostA != hostB, "NOT OK", "OK") Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi i have a list of servers coming from two different sources list A has server without domain names and list B has servers with and without domain names i was trying to compare the two list and ge...
See more...
Hi i have a list of servers coming from two different sources list A has server without domain names and list B has servers with and without domain names i was trying to compare the two list and get matching and not matching value problem is bot the list have same server but because of domain name it says not matching i understand if function is probably not the correct choice and when i use case with like it give me error any suggestions on this |makeresults | eval listA="xyz1apac" ,listB="xyz1apac.ent.bhpbilliton.net" | append [| makeresults | eval listA="xyz2" ,listB="xyz2.ent.bhpbilliton.net"] | append [| makeresults | eval listA="xyz3emea" ,listB="xyz3emea"] | append [| makeresults | eval listA="xyz4abc" ,listB="xyz4abc.ent.bhpbilliton.net"] | fields - _time | eval matching=if(listA != listB, "NOT OK", "OK") thanks
Hi all, I have installed 2 add-ons, Splunk DB Connect and Splunk Add-on For Oracle Database. According to the DOCS of Splunk, Splunk DB Connect will have Input templates from Import from Add-on For ...
See more...
Hi all, I have installed 2 add-ons, Splunk DB Connect and Splunk Add-on For Oracle Database. According to the DOCS of Splunk, Splunk DB Connect will have Input templates from Import from Add-on For Oracle Database. However, it only has the default template of DB Connect, I have any other way such as manual configuration to import them. Thanks.
No they do not relate to each other - I am not sure why this just started happening - anyway the totalCapacity never changes so I could hardcode this value for now until I figure something out.
Hi @LizAndy123 You can use stats values(fieldName) as fieldName with an optional by someOtherField if you have a field for which each of these relate (e.g. host) See my example below: | makeresul...
See more...
Hi @LizAndy123 You can use stats values(fieldName) as fieldName with an optional by someOtherField if you have a field for which each of these relate (e.g. host) See my example below: | makeresults count=2
| streamstats count
| eval field=IF(count=1,"totalCapacity", "usedCapacity")
| eval value=json_array_to_mv("[12323455667,233445]")
| eval value=mvindex(value,count-1)
| eval {field}=value
| eval host="abc"
| table host *Capacity
| stats values(totalCapacity) AS totalCapacity, values(usedCapacity) AS usedCapacity Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Hi @_Mauro_Costa_ , you could try with: | eval date=if(dayweek IN (Saturday,Sunday),strftime(strptime(date,"%d/%m/%Y %H:%M"),"%d/%m/%Y 9.00"), date) Ciao. Giuseppe
Hello, I have 2 columns, one with date and other with the day of week based on day of week whenever is Saturday or Sunday, I want to change the time to 9 am How can I do this? submitted daywe...
See more...
Hello, I have 2 columns, one with date and other with the day of week based on day of week whenever is Saturday or Sunday, I want to change the time to 9 am How can I do this? submitted dayweek result 13/03/2025 14:24 Thursday 13/03/2025 14:24 12/03/2025 09:31 Wednesday 12/03/2025 09:31 11/03/2025 13:45 Tuesday 11/03/2025 13:45 10/03/2025 18:11 Monday 10/03/2025 18:11 09/03/2025 11:21 Sunday 09/03/2025 09:00 08/03/2025 21:55 Saturday 08/03/2025 09:00 07/03/2025 10:24 Friday 07/03/2025 10:24