All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

No need for the renaming to _raw | makeresults | eval jsonData="{\"author\":\"John\",\"book\":\"Splunk\"}" | spath input=jsonData
Hi @Karthikeya , you must create Indexes on Indexers using the Cluster Manager and it's relevant. Then, only to see the indexes in the dropdown lists on HFs, you can create Indexes also on HFs but ... See more...
Hi @Karthikeya , you must create Indexes on Indexers using the Cluster Manager and it's relevant. Then, only to see the indexes in the dropdown lists on HFs, you can create Indexes also on HFs but it's a workaround they aren't used. You must only put attention that the names are the same. Ciao. Giuseppe
so finally data inputs from HF finally takes the index which is created on indexers right? Please clarify.
Hi @Karthikeya , as I said, indexes on HFs is a workaround to have the indexes list in dropdowns, but it isn't really used, so you can use every path you like. It's obviously different on Indexers ... See more...
Hi @Karthikeya , as I said, indexes on HFs is a workaround to have the indexes list in dropdowns, but it isn't really used, so you can use every path you like. It's obviously different on Indexers where Volume is relevant. Ciao. Giuseppe
But in indexers we have volumes and here it cannot be configured. Is if fine? finally data input takes which index? HF or one which is there on indexer?
Hi @Karthikeya , on the indexers you have the Volume thats not relevant on HFs: remove the volume defintion and use $SPLUNK_DB/app_juniper_dev/db $SPLUNK_DB/app_juniper_dev/colddb Ciao. Giuseppe
Not able to create same index in HF it is throwing this error. manually add the index in the conf files on Hevy Forwarders. ---> Where to do this for particular data input? Please guide me
hi @gcusello , the values  in the multiselect from a search, but it doesnt matter. i know that i display the ones that match :-).   Let me bring more details: 1. I do filtering in muliselect filt... See more...
hi @gcusello , the values  in the multiselect from a search, but it doesnt matter. i know that i display the ones that match :-).   Let me bring more details: 1. I do filtering in muliselect filter 2. I have below in filter e.g. 27 matched values 3. I dont want click 27 times on each to select all of them 4. I want click one time on  "Select all matches" as it is in Studio to select all matched values. 5. OR hit enter to select.  
Hi @Karthikeya , it's normal: in the indexes list, you see only indexes locally created. You have two choices: create the index also on HF even if you don't use it, only to see it in dropdowns ch... See more...
Hi @Karthikeya , it's normal: in the indexes list, you see only indexes locally created. You have two choices: create the index also on HF even if you don't use it, only to see it in dropdowns choice lists; manually add the index in the conf files on Hevy Forwarders. Ciao. Giuseppe
Hi @LIS , are the values that you display in the multiselect from a search or are static? if from a search, you display only the ones that match. Ciao. Giuseppe
below is inputs.conf before blacklist lines   [WinEventLog://Security] disabled = 0 checkpointInterval = 5 disabled = 0 start_from = oldest renderXml = false evt_resolve_ad_obj = 1
Below is the events for 4688 where the code gets captured in a field called "EventCode"   A new process has been created.   Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SERVE... See more...
Below is the events for 4688 where the code gets captured in a field called "EventCode"   A new process has been created.   Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: SERVERNAME$ Account Domain: TRUE Logon ID: 0x3E7   Target Subject: Security ID: Account Name: Account Domain: Logon ID:   Process Information: New Process ID: 0x2650 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0xf7c Process Command Line:
Need some guidance on SplunkCloud Kiteworks integration. We are utilizing built-in UF of Kiteworks found on admin console and sending it directly to cloud. Did you use the forwarder app package and h... See more...
Need some guidance on SplunkCloud Kiteworks integration. We are utilizing built-in UF of Kiteworks found on admin console and sending it directly to cloud. Did you use the forwarder app package and how did you it? I don't have access to the client's KW console. All I know is currently it is asking us to upload 4 certificate files for tls and not the forwarder package app. The Splunk Cloud and Splunk Enterprise toggle button as well is disabled which is weird. I believe on lower version there no option for that but we have.
@livehybrid  Thanks for detailed explanation. I understand your point But when I tried using stats command  it is working fine when I load the query from splunk dashboard widget where it failed wi... See more...
@livehybrid  Thanks for detailed explanation. I understand your point But when I tried using stats command  it is working fine when I load the query from splunk dashboard widget where it failed with chart. So still not getting what actually went wrong. index="*test" sourcetype=aws:test host=testhost lvl IN (Error, Warn) source="*testsource*" | table lvl msg _time source host tnt | stats count by lvl Thanks, PNV
Does the time used in the search match the time you were expecting?
@gcusello  sorry for getting back late .  I tried as you said , it is working fine now ( values are matching now).  index="*test" sourcetype=aws:test host=testhost lvl IN (Error, Warn) source... See more...
@gcusello  sorry for getting back late .  I tried as you said , it is working fine now ( values are matching now).  index="*test" sourcetype=aws:test host=testhost lvl IN (Error, Warn) source="*testsource*" | table lvl msg _time source host tnt | stats count by lvl Please can you help me to know what actually was happening at backend when chart was used  when it supposed to give same result ?  (that is in my original query).  Why that effected dashboard widget ?  Sharing this knowledge really helps me.  Thanks in advance, PNV
hi @gcusello , I have it , but question different.  I want to select not all but all matched :-).  
@ITWhisperer  : I tried both the ways. Run manually copy pasting the query as well as running from search icon in the widget. Also , by setting the time window manually. Still there was discrepancy.
Hi,  We have configured a data input in HF and there is an option to select index there. I have created new index in Cluster master and pushed it to indexers. But that created index is not showing i... See more...
Hi,  We have configured a data input in HF and there is an option to select index there. I have created new index in Cluster master and pushed it to indexers. But that created index is not showing in HF. I believe HF is not linked in this cluster that is why it is not showing. What to do in this case? I tried to create same index in HF but our hot and cold path contains volumes which is failing to create index in HF. Please help me what can I do? If I keep default index in HF... will it pick the index in indexers? How to configure this? Please clarify my confusion here....
Hi @LIS , did you tried to add a static choice called "All" using "*" as value? Ciao. Giuseppe